On September 24, 2014, it was found that Bash, a built-in software of Linux, had a high-risk remote command execution vulnerability of which the CVE number was CVE-2014-6271.
Bash is widely used by Linux users to control cmd.exe, and thus the impact scope of this vulnerability is great. Besides, when the HTTP server opens CGI or Bash is introduced in other places, the remote command execution vulnerability occurs. Affected are mainstream Linux operating systems, including Ubuntu, CentOS, Debian, SUSE, and Redhat.
The vulnerability mainly impacts services and programs opened based on Bash. When a website uses CGI to run Bash, the attacker may remotely run a system command to rebound the shell to perform such operations as intranet infiltration, Trojan embedding, homepage tempering, resulting in high risks.
Alibaba Cloud informs you to follow the vulnerability information and troubleshoot and fix the vulnerability as soon as possible.
See the following for more information about the vulnerability.
CVE identifier
CVE-2014-6271
Vulnerability name
Linux Bash remote command execution vulnerability
Vulnerability rating
High
Vulnerability description
This vulnerability is caused by special environment variables created before Bash shell is called. These variables can contain code that can be run by Bash.
Condition and method of exploitation
Remote exploitation.
Affected scope
Linux operating systems of which the version of GNU Bash is 4.3 or earlier
Vulnerability detection
Run the command env x='() { :;}; echo vulnerable' bash -c "echo this is a test" to check whether the vulnerability exists.
If the returned message contains “vulnerable”, the vulnerability exists; otherwise, the vulnerability does not exist.
For example, if the vulnerability exists, the output before the vulnerability is fixed is:
vulnerablethis is a test
After the vulnerability is fixed, the output is:
bash: warning: x: ignoring function definition attemptbash: error importing function definition for `x`this is a test
Note: This detection method has no effect on your business. If your script defines the environment variables in the preceding way, an error is reported for your script execution after the vulnerability is fixed.
How to fix or mitigate
Note: Select the fixing command according to your Linux version. To avoid any accident, before executing the command, create a snapshot for your Linux server system disk. You can roll back the system disk snapshot to remove any impact on your server usage caused by the upgrade.
Centos & Redhat:
yum -y update bash
Ubuntu:
sudo apt-get update && sudo apt-get install bash
The following message is prompted when you run the preceding code:
bash: warning: x: ignoring function definition attemptbash: error importing function definition for `x`hello
Debian:
apt-get -y install --only-upgrade bash
Reference
[1]. Bash
[2]. Resolutionfor Bash Code Injection Vulnerability via Specially Crafted EnvironmentVariables (CVE-2014-6271, CVE-2014-7169) in Red Hat Enterprise Linux
[3]. [CentOS]Critical update for bash released today By Jim Perrin jperrin
[4]. CVE-2014-6271in Ubuntu (Canonical Ltd.)
[5]. oss-secmailing list archives
[6]. Bashspecially-crafted environment variables code injection attack
[7]. Bashbug as big as HeartbleedBy Robert Graham
[8]. CVE-2014-6271(Debian)