Today various sources announced CVE-2014-6271: “bash: specially-crafted environment variables can be used to inject shell commands”. This is a serious risk on many Unix-like systems, as bash is a very popular shell, and included by default on many systems. It is used by both interactive users, as well as many wrapper scripts used in daily system operations. This bug is being referred to as “ShellShock” by many sources now, initially it was being referred to by some as “BashBleed”.
The description of this bug from CVE-2014-6271
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
Luckily for me, patching my own systems as well as verifying that they were patched was easily accomplished though Salt! Numerous tweets today had all that was required!
The first, to patch systems:
And a second to verify that systems were patched:
At the moment only my Raspbian system has a bash which is vulnerable to this bug. I will update this when I notice its been patched.
Update: It seems that the bugs haven’t been completely patched, yet. I assume there may be several rounds of patches for this.
Update: I have been continuing to run
salt -G os:debian pkg.install bash refresh=True as each of the new CVE announcements happen. There has been 6 so far.
Some other blogs and external information about this: