Bash susceptible to environment variables code injection attack

patched Bash bug Linux Mint

A security adversary posted at Red Hat’s security blog and referenced at US-CERT has warned users of the Bash shell of a “specially-crafted environment variables code injection attack.”

That means UNIX-based operating systems that use the Bash shell are affected. That includes all Linux distributions and Apple’s Mac OS X.

According to the blog post cited above:

… the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.

The flaw is said to have been fixed in Red Hat Enterprise Linux and a package that fixes it shipped for Fedora, but I am running a fully updated Fedora 20 KDE and the package has not comes across. To test whether your copy of Bash is vulnerable, issue this command: env x='() { :;}; echo vulnerable' bash -c "echo LinuxBSDos.com. If your Bash is vulnerable, you should see both echoed texts.

Related Post:  ROSA Desktop Fresh R1: For advanced users, but even better for new users

This screenshot shows the result of the test on my Fedora 20 desktop.
Bash code injection attack

On my laptop running Linux Mint 17 Cinnamon, the test showed that it, too, is vulnerable. However, after updating it, the test passed. The following screenshots shows the results of the test before and after the updated was applied.

Related Post:  Spice up Ubuntu 10.10 desktop with Cairo-Dock

Bash test on Linux Mint 17 before code injection attack update.
Bash bug Linux Mint

Bash test on Linux Mint 17 after updating the system.
patched Bash bug Linux Mint

UPDATE: If you use Fedora 20, your only option, before an update is pushed through the system, is to patch it manually. To do that, type the following command, as root: yum localinstall https://kojipkgs.fedoraproject.org//packages/bash/4.2.47/4.fc20/x86_64/bash-4.2.47-4.fc20.x86_64.rpm. That came from this post. For other editions of Fedora, see this other post.

Share:

Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest
Share on linkedin
LinkedIn

Hola! Did you notice that LinuxBSDos.com no longer run network ads?  Yep, no more ads from the usual suspects that track and annoy you across the Internet. But since I still need to pay to keep the site running, feel free to make a small donation by PayPal or your favorite cryptocurrency.

  • Bitcoin
  • Ethereum
  • Xrp
  • Bitcoin cash
  • Bitcoin sv
  • Litecoin
  • Binance coin
  • Cardano
  • Ethereum classic
Scan to Donate Bitcoin to bc1qzvlte2m224zkayhdc7fdfjkp2rsgt0l5a496ua

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0F4362DFF77F3Ba0Dc637F5f3Eba35D09a2fA60C

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Xrp to r4ggjvL36njsMCYTkJ3S7cTHscPsMsSGQv

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Bitcoin cash to qrs0dedzp9t55af3nfwypydghp29r0xguy9s20fz2k

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Bitcoin sv to 15K9TLyVDBtLuG9cYvXCX9SSkq9C9oUKHK

Donate Bitcoin sv to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin sv

Scan to Donate Litecoin to LetJ9QQMb7u2LMZ9Tu6rtHwcBcQFW98fbG

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Binance coin to bnb1ga8trq08ssqepd90v6225nzfgy448pu5pw8gxp

Donate Binance coin to this address

Scan the QR code or copy the address below into your wallet to send some Binance coin

Scan to Donate Cardano to addr1qx2354yw49etstfljpdhwja3ajjlt487lg95vu9ngy2q6vu4rf2ga2tjhqknlyzmwa9mrm997h20a7stgectxsg5p5esq5l7d9

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Ethereum classic to 0xcD6CC972a2297FcafACDcfE042C55C69516a9264

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Subscribe for updates. Trust me, no spam!

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
4. Axo Finans.

Upcoming events

6 Responses

  1. The article says, “That includes all Linux distributions…” It would be more accurate to say, “most Linux distributions,” or better yet, “virtually all Linux desktops and servers.” Most versions of embedded Linux don’t include bash and are not vulnerable. However, most distributions for customizable semi-embedded devices like the Raspberry Pi are/were vulnerable.

    1. Yep, Red Hat has addressed that point in this update. Relevant paragraph:

      Only if your lightbulb runs Bash! Lots of press have latched onto the fact that this flaw could affect the Internet Of Things, allowing attackers to take control of your systems via home appliances. In reality, embedded devices rarely use Bash, going for more lightweight solutions such as BusyBox, which includes the ash shell that was not vulnerable to these issues. So while it’s certainly plausible that some devices may be affected by this flaw, it won’t be very common.

  2. it’s the final ” that is missed in your example…

    env x='() { :;}; echo vulnerable’ bash -c “echo LinuxBSDos.com

  3. thxs for your contribution, but in your command text is on the end a fail:

    Must be:

    env x='() { :;}; echo vulnerable’ bash -c “echo LinuxBSDos.com”

    Greetings TLW

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
4. Axo Finans.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.

Categories
Archives

The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.