Be advised, it’s a temporary fix released by Red Hat Security Response Team. The team is working on a full fix for which they are expected to release the patch soon.

The Bash vulnerability is supposed to be of higher criticality than Heartbleed. It’s found in all versions of the bash package shipped by Red Hat, it’s unclear since when it’s been there. With the CVE-2014-7169 vulnerability, users may have the capability of arbitrary code execution. Certain services & applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

Priority: Severe

The National Vulnerability Database has given a score of 10 i.e. highly severe, meaning it’s critical and the access complexity is Low. Hence, the vulnerability can be easily exploited by hackers if identified.

How to check if you have a vulnerable Bash version over your system ?

Run the below command to check :

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output is like:

env x=echo vulnerable bash -c echo this is a test

it clearly means you have a vulnerable Bash version running on your system.

In that case, apply the following patch to fix it.

Upgrade Bash using the yum command in ssh:

yum upgrade bash

yum-upgrade-bash-complete

Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Once the bash update is complete, reboot your system for the new bash package to take effect.

External References:

  • http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
    https://bugzilla.redhat.com/show_bug.cgi?id=1141597
    https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
    https://access.redhat.com/articles/1200223
    https://access.redhat.com/security/cve/CVE-2014-6271