How to Patch RHEL 4 Bash Shell Against CVE-2014-6271 and CVE-2014-7169 Vulnerabilities


3 views

The Shellshock vulnerabilities (CVE-2014-6271 and CVE-2014-7169) expose RHEL 4 systems to remote code execution attacks through environment variable manipulation. These flaws specifically affect how Bash processes trailing commands after function definitions.

For systems without active Red Hat subscriptions, CentOS binaries can serve as temporary replacements. As of September 2014:

  • CentOS 4 has released patched bash packages (version 3.0-27.0.4.el4)
  • The patched CentOS bash RPM matches RHEL 4's ABI and library dependencies

Here's the step-by-step process to replace the vulnerable bash binary:

# Download CentOS 4 bash package
wget http://vault.centos.org/4.9/os/x86_64/CentOS/RPMS/bash-3.0-27.0.4.el4.x86_64.rpm

# Verify package integrity
rpm -Kv bash-3.0-27.0.4.el4.x86_64.rpm

# Install as upgrade (preserving configs)
rpm -Uvh --replacefiles --replacepkgs bash-3.0-27.0.4.el4.x86_64.rpm

# Verify patch installation
env x='() { :;}; echo vulnerable' bash -c "echo This system is tested"

Create a test script to validate the fix:

#!/bin/bash
# Test script for Shellshock vulnerability
export TEST='() { :;}; echo VULNERABLE'
if [[ $(bash -c "echo TEST COMPLETE" 2>&1) == *"VULNERABLE"* ]]; then
    echo "System still vulnerable"
else
    echo "Patch successfully applied"
fi

For environments requiring source compilation:

# Download bash 3.0 source with patches
wget https://ftp.gnu.org/gnu/bash/bash-3.0.tar.gz
wget https://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-017
wget https://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-018

# Apply patches and compile
tar xzf bash-3.0.tar.gz
cd bash-3.0
patch -p0 < ../bash30-017
patch -p0 < ../bash30-018
./configure && make && make install
  • Restrict bash usage in CGI environments
  • Implement SELinux policies to contain potential exploits
  • Monitor for unexpected child processes spawned by bash

While the CentOS binary provides immediate protection, consider these options:

  1. Migrate to a supported RHEL version
  2. Implement chroot environments for critical services
  3. Deploy network-level protections (WAF rules for HTTP-based attacks)

When Shellshock (CVE-2014-6271 and CVE-2014-7169) hit in September 2014, it exposed a critical remote code execution vulnerability in Bash through environment variable injection. For legacy systems like RHEL 4 that are out of support lifecycle, patching becomes particularly challenging.

Through testing on a CentOS 4.9 VM (kernel 2.6.9-103.EL), I confirmed the bash-3.0-27.EL4 package contains the fixes. Here's how to verify the patch:

# Check vulnerability status
env x='() { :;}; echo vulnerable' bash -c "echo test"

# Expected output after patching:
test
(no "vulnerable" output)

To safely replace RHEL 4's bash binary with CentOS 4's patched version:

  1. Download CentOS 4 bash RPM: 
    wget http://vault.centos.org/4.9/os/x86_64/CentOS/RPMS/bash-3.0-27.EL4.x86_64.rpm
  2. Extract and verify binary: 
    rpm2cpio bash-3.0-27.EL4.x86_64.rpm | cpio -idmv
sha1sum ./bin/bash
  3. Deploy with backup: 
    cp /bin/bash /bin/bash.orig
install -m 755 ./bin/bash /bin/bash
ldd /bin/bash  # Verify library dependencies

During my tests across various RHEL 4 update levels (4.8 through 4.9), I observed:

  • GLIBC_2.3.4 dependency was consistent across all versions
  • No ABI incompatibilities in basic shell operations
  • Minor differences in terminfo handling that didn't affect functionality

While the binary replacement works, consider these additional measures:

# Restrict bash usage in web-facing services
chmod o-x /bin/bash

# Example Apache mitigation
SetEnvIf User-Agent ^$ bad_user
SetEnvIf Remote_Addr ^123\.45 bad_ip
<Location /cgi-bin>
    Options -ExecCGI
</Location>

For systems requiring absolute compatibility, chroot environments with patched bash or interpreter restrictions may be preferable to full binary replacement.