The new Shellshock Bash Vulnerability is a serious vulnerability affecting any UNIX/Linux/Mac based Operating System, it has only recently been discovered and can basically allow any command full root permissions on your server, so for instance an attacker can gain access to your PHP Script and then use the exec function (which is a PHP function that provides BASH access) to execute anything as root.
The vulnerability works by placing a piece of code into a BASH variable and executing it using some clever code.
Fortunately using a similar approach we can identify if your BASH is vulnerable or not, all you need to do is execute the below BASH code:
env 'VAR=() ; echo Bash is vulnerable!' 'FUNCTION()=() ; echo Bash is vulnerable!' bash -c "echo Bash Test"
If your output is:
- Bash is vulnerable!
then your VPS is vulnerable and you should continue reading.
- Bash Test
then you are safe! Breath a deep sigh of relief.
So if you did fail the above test then you will need to update your BASH installation, you can do this by:
- Debian/Ubuntu users: - for currently supported versions run the following command: sudo apt-get update && sudo apt-get install --only-upgrade bash
- for End Of Life releases backup your important data and run the following command: do-release-upgrade
- for Debian 6 users additional steps must be taken before the update. You can find them here https://wiki.debian.org/LTS/Using
- CentOS/Red Hat/Fedora users: - run the following command: yum update bash