edit-icon download-icon

[Vulnerability notice] CVE-2014-6271: Linux Bash remote code execution vulnerability

Last Updated: Mar 19, 2018

On September 24, 2014, it was found that Bash, a built-in software of Linux, had a high-risk remote command execution vulnerability of which the CVE number was CVE-2014-6271.

Bash is widely used by Linux users to control cmd.exe, and thus the impact scope of this vulnerability is great. Besides, when the HTTP server opens CGI or Bash is introduced in other places, the remote command execution vulnerability occurs. Affected are mainstream Linux operating systems, including Ubuntu, CentOS, Debian, SUSE, and Redhat.

The vulnerability mainly impacts services and programs opened based on Bash. When a website uses CGI to run Bash, the attacker may remotely run a system command to rebound the shell to perform such operations as intranet infiltration, Trojan embedding, homepage tempering, resulting in high risks.

Alibaba Cloud informs you to follow the vulnerability information and troubleshoot and fix the vulnerability as soon as possible.

See the following for more information about the vulnerability.


CVE identifier

CVE-2014-6271

Vulnerability name

Linux Bash remote command execution vulnerability

Vulnerability rating

High

Vulnerability description

This vulnerability is caused by special environment variables created before Bash shell is called. These variables can contain code that can be run by Bash.

Condition and method of exploitation

Remote exploitation.

Affected scope

Linux operating systems of which the version of GNU Bash is 4.3 or earlier

Vulnerability detection

Run the command env x='() { :;}; echo vulnerable' bash -c "echo this is a test" to check whether the vulnerability exists.

If the returned message contains “vulnerable”, the vulnerability exists; otherwise, the vulnerability does not exist.

For example, if the vulnerability exists, the output before the vulnerability is fixed is:

  1. vulnerable
  2. this is a test

After the vulnerability is fixed, the output is:

  1. bash: warning: x: ignoring function definition attempt
  2. bash: error importing function definition for `x`
  3. this is a test

Note: This detection method has no effect on your business. If your script defines the environment variables in the preceding way, an error is reported for your script execution after the vulnerability is fixed.

How to fix or mitigate

Note: Select the fixing command according to your Linux version. To avoid any accident, before executing the command, create a snapshot for your Linux server system disk. You can roll back the system disk snapshot to remove any impact on your server usage caused by the upgrade.

  • Centos & Redhat:

    1. yum -y update bash
  • Ubuntu:

    1. sudo apt-get update && sudo apt-get install bash

    The following message is prompted when you run the preceding code:

    1. bash: warning: x: ignoring function definition attempt
    2. bash: error importing function definition for `x`
    3. hello
  • Debian:

    1. apt-get -y install only-upgrade bash

Reference

[1]. Bash
[2]. Resolutionfor Bash Code Injection Vulnerability via Specially Crafted EnvironmentVariables (CVE-2014-6271, CVE-2014-7169) in Red Hat Enterprise Linux
[3]. [CentOS]Critical update for bash released today By Jim Perrin jperrin
[4]. CVE-2014-6271in Ubuntu (Canonical Ltd.)
[5]. oss-secmailing list archives
[6]. Bashspecially-crafted environment variables code injection attack
[7]. Bashbug as big as HeartbleedBy Robert Graham
[8]. CVE-2014-6271(Debian)

Thank you! We've received your feedback.