Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @

Difference between revisions of "EGI CSIRT:Alerts/Shellshock-2014-09-26"

From EGIWiki
Jump to navigation Jump to search
(Created page with "<pre> ** WHITE information - unlimited distribution ** ** see for distribution restrictions ** Title: ...")
(Created page with "<pre> ** WHITE information - unlimited distribution ** ** see for distribution restrictions ** Title: ...")
(No difference)

Latest revision as of 10:14, 26 September 2014

** WHITE information - unlimited distribution                               **
** see for distribution restrictions **

Title:       EGI CSIRT 'CRITICAL' Risk - 'shellshock' vulnerability - arbitrary code execution via crafted environment variables

Date:        2014-09-26

This advisory will be placed on the public wiki.



A vulnerability that allows malicious user to run arbitrary code with
the privileges of victim that runs Bash scripts was found in Bourne
Again Shell (bash).

This has been called the 'shellshock' vulnerability and has been
widely publicised.


A specially constructed environment variable that contains function
definition and trailing executable statements will make bash execute
this code at the point of script initialization.

Various exploits are already publicly available. 

Risk Category

This issue has been assessed as 'Critical' risk by the EGI CSIRT
and EGI SVG Risk Assessment Team.

Affected Software

Components : All scripts that employ bash as the scripting language

 - bash 3.0 up to (but not including) 3.0 patchlevel 017
 - bash 3.1 up to (but not including) 3.1 patchlevel 018
 - bash 3.2 up to (but not including) 3.2 patchlevel 052
 - bash 4.0 up to (but not including) 4.0 patchlevel 039
 - bash 4.1 up to (but not including) 4.1 patchlevel 012
 - bash 4.2 up to (but not including) 4.2 patchlevel 048
 - bash 4.3 up to (but not including) 4.3 patchlevel 025

Component installation information

Currently software updates are available from most OS vendors.

 - general announcement:
 - CentOS 5.x:
 - CentOS 6.x:
 - CentOS 7.x:
Versions in which this issue was fixed:
 - CentOS 5.x: bash-3.2-33.el5.1
 - CentOS 6.x: bash-4.1.2-15.el6_5.1
 - CentOS 7.x: bash-4.2.45-5.el7_0.2

 - general announcement:
 - RHEL 5/6/7:
 - RHEL 5/6, Shift_IJS packages:
 - RHEL extended support:
Versions in which this issue was fixed:
 - Red Hat Enterprise Linux 7 - bash-4.2.45-5.el7_0.2
 - Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.1
 - Red Hat Enterprise Linux 5 - bash-3.2-33.el5.1
 - Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.2
 - Red Hat Enterprise Linux 5.6 Long Life - bash-3.2-24.el5_6.1
 - Red Hat Enterprise Linux 5.9 Extended Update Support - bash-3.2-32.el5_9.2
 - Red Hat Enterprise Linux 6.2 Advanced Update Support - bash-4.1.2-9.el6_2.1
 - Red Hat Enterprise Linux 6.4 Extended Update Support - bash-4.1.2-15.el6_4.1
 - SJIS for Red Hat Enterprise Linux 6 - bash-4.1.2-15.el6_5.1.sjis.1
 - SJIS for Red Hat Enterprise Linux 5 - bash-3.2-33.el5_11.1.sjis.1


Check that no externally-supplied environment variables will leak
into environment of bash scripts.


You can check if your bash version is vulnerable by running the following

  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Vulnerable versions will produce two lines of output,

this is a test

while patched versions will give a diagnostic message instead of the first

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Those who have not already done so should be updated as soon as possible.  

All running resources MUST be either patched or otherwise have a
work-around in place by 2014-10-03T21:00+01:00. Sites failing to act and/or 
failing to respond to requests from the EGI CSIRT team risk site suspension. 

Other information

As a basic security best practice, it is strongly recommended to
disallow control on the environment variables to the external parties.

This includes passing environment to the set-uid scripts, programs
that make parts of user-provided data to HTTP/CGI pages to be a part
of the environment for the processing script, programs that pass data
to external scripts via environment variables, etc.

This advisory will be updated as more information comes available


The vulnerability was discovered by Stephane Chazelas (and named by
Andreas Lindh).





2014-09-25 EGI SVG and CSIRT alerte to problem by Leif Nixon
2014-09-25 'Heads up'sent to EGI site and NGI security contacts. 
2014-09-25 Advisory drafted by Eygene Ryabinkin.
2014-09-26 Assessed as 'Critical'
2014-09-26 Advisory issued.