Hello everyone,

As reported in mainstream media, Red Hat has been made aware of a vulnerability affecting all versions of the bash package as shipped with Red Hat products. This vulnerability CVE-2014-6271 could allow for arbitrary code execution. Certain services & applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

OVERVIEW:


GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi & mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, & other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

DIAGNOSTIC TESTS:

To test if your version of Bash is vulnerable to this issue, run the following command:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks as follows:

vulnerable
this is a test


you are using a vulnerable version of Bash.

PATCH:

The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Upgrade Bash using the yum command in ssh:

yum upgrade bash


Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


eg:
Code:
[I][COLOR=#000000][email protected] [~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
[/COLOR][COLOR=#ff0000][B]vulnerable
this is a test[/B][/COLOR][/I]
Code:
[email protected] [~]# [B]yum upgrade bash[/B]
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.hyve.com
 * extras: centos.hyve.com
 * rpmforge: www.mirrorservice.org
 * rpmforge-extras: www.mirrorservice.org
 * updates: centos.serverspace.co.uk
base                                                                                                                                                        | 3.7 kB     00:00
extras                                                                                                                                                      | 3.3 kB     00:00
rpmforge                                                                                                                                                    | 1.9 kB     00:00
rpmforge-extras                                                                                                                                             | 1.9 kB     00:00
updates                                                                                                                                                     | 3.4 kB     00:00
Setting up Upgrade Process
Resolving Dependencies
--> Running transaction check
---> Package bash.i686 0:4.1.2-15.el6_4 will be updated
---> Package bash.i686 0:4.1.2-15.el6_5.1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================================================================================
 Package                               Arch                                   Version                                              Repository                                 Size
=================================================================================================================================================================================
Updating:
 bash                                  i686                                   4.1.2-15.el6_5.1                                     updates                                   887 k

Transaction Summary
=================================================================================================================================================================================
Upgrade       1 Package(s)

Total download size: 887 k
Is this ok [y/N]: y
Downloading Packages:
bash-4.1.2-15.el6_5.1.i686.rpm                                                                                                                              | 887 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : bash-4.1.2-15.el6_5.1.i686                                                                                                                                      1/2
  Cleanup    : bash-4.1.2-15.el6_4.i686                                                                                                                                        2/2
  Verifying  : bash-4.1.2-15.el6_5.1.i686                                                                                                                                      1/2
  Verifying  : bash-4.1.2-15.el6_4.i686                                                                                                                                        2/2

Updated:
  bash.i686 0:4.1.2-15.el6_5.1

Complete!
Code:
[email protected] [~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
[COLOR=#008000]bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test[/COLOR]

[email protected] [~]#
Please restart/reboot your system for using this new bash package.

Customers that are unable to do this themselves or need our assistance are requested to submit a ticket as soon as possible so our technicians can apply the patch for you. If you have any questions or concerns regarding this notice, please submit a ticket. One of our senior technicians will be happy to help you.