html
The ShellShock vulnerability (CVE-2014-6271) is a critical security flaw in Bash that allows remote code execution via environment variables. Attackers can exploit it through web servers, SSH, DHCP clients, and other services that invoke Bash.
Run these commands in your terminal to check if your Bash is vulnerable:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the output shows "vulnerable", your system is at risk. A patched system will only display "this is a test".
For thorough verification, test with these additional vectors:
env X='() { (a)=>\' bash -c "echo date"; cat echo
env -i X='() { (a)=>\' bash -c "echo date"; cat echo
These test for related vulnerabilities (CVE-2014-7169, CVE-2014-7186, etc.).
Update Bash immediately using your package manager:
# For Debian/Ubuntu:
sudo apt-get update && sudo apt-get install --only-upgrade bash
# For RHEL/CentOS:
sudo yum update bash
# For macOS (using Homebrew):
brew update && brew upgrade bash
After updating, retest with the previous commands. Additionally, check your Bash version:
bash --version
Look for versions patched after September 2014 (typically Bash 4.3 or later with security patches).
For large deployments, use tools like:
nmap --script=http-shellshock --script-args uri=/cgi-bin/bin
Or the Metasploit module:
use exploit/multi/http/apache_mod_cgi_bash_env_exec
If immediate patching isn't possible:
- Restrict CGI scripts that use Bash
- Use chroot environments
- Implement strict firewall rules
- Consider replacing Bash with alternatives like Dash for scripts
Beyond patching, implement these security measures:
# Disable Bash as default shell for system accounts
chsh -s /bin/false www-data
# Use SELinux/AppArmor to restrict Bash execution
# Example AppArmor rule:
/usr/bin/bash {
/bin/dash ix,
deny /var/www/** px,
}
Set up alerts for suspicious activity:
# Sample logwatch configuration for ShellShock attempts
LogFile = /var/log/apache2/error.log
*Matches = "() {"
*MailTo = admin@example.com
The ShellShock vulnerability (CVE-2014-6271) allows attackers to execute arbitrary commands through environment variables in Bash. This affects:
- Web servers using CGI scripts
- DHCP clients
- SSH configurations with ForceCommand
- Any system processing untrusted environment variables
Run this command to test your Bash version:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the output shows "vulnerable", your system is at risk. A patched system should only display "this is a test".
For thorough verification:
# Test multiple vectors
echo "Testing CVE-2014-6271:"
env X='() { (a)=>\' bash -c "echo date"; cat echo
echo "Testing CVE-2014-7169:"
rm -f echo; env X='() { (a)=>\' bash -c "echo date"; cat echo
echo "Testing CVE-2014-7186:"
bash -c 'true <Update Bash using your package manager:
# Debian/Ubuntu
sudo apt-get update && sudo apt-get install --only-upgrade bash
# RHEL/CentOS
sudo yum update bash
# MacOS (using Homebrew)
brew update && brew upgrade bash
After updating, check the Bash version:
bash --version
# Should show version 4.3 or later with patches
Retest using the vulnerability checks above to confirm protection.
Additional security measures:
# Restrict Bash usage in CGI
sudo chmod -x /bin/bash
# Implement SELinux policies
sudo setsebool -P httpd_execmem off
# Use alternatives where possible
sudo update-alternatives --install /bin/sh sh /bin/dash 100
sudo update-alternatives --set sh /bin/dash
For large deployments, consider these scanning options:
- Nessus vulnerability scanner
- OpenVAS
- Custom script checking multiple CVEs:
#!/bin/bash
vuln=0
[[ $(env x='() { :;}; echo vulnerable' bash -c "echo test" 2>&1) == *vulnerable* ]] && vuln=1
[[ $(bash -c 'true </dev/null) ]] && vuln=1
exit $vuln