Shell Shocker BASH vulnerability links

A flaw in Bash, the most common Linux command shell, from 22 years ago that was discovered and incompletely patched earlier this year is reported to pose a very severe threat to systems that include it. If you use a BASH shell in Linux or other derived operating system like Android or Apple OS X (like me and I am sure many of you!) you are probably vulnerable.

According to Mitre:
vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Am I vulnerable?
Edit for the time being: You are. No complete public fix has been posted yet, for the new CVE (CVE-2014-7169). The instructions I give below are only sufficient to close off part of the vulnerability.
There is an easy check. Open a terminal and paste the following:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
It simply sets the environment variable called x to the value ‘() { :;}; echo vulnerable’. It then invokes bash asking it to echo back the word hello. The value of x that is set is a function definition that should do nothing. However, it is crafted to try to run ‘echo vulnerable’ at parsing of environment at bash start-up, which just prints vulnerable to standard out.

If you are not vulnerable, then the following will be shown:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

If you are vulnerable, then you will see:

Here is a link to more information from the Register:
Here is an article from TrendMicro that also describes the vulnerability:

Several of the vendors we have partnerships with are investigating their products to determine their vulnerability and response.

F5 has posted the security advisory:
VMware has posted in their security and compliance blog that they are investigating:
Red Hat has posted a very good description ion their security blog:
Another Red Hat post:

Here are links to the advisories and repositories from the US Government:

US Computer Emergency Readiness Team (US-CERT) Advisory:
NIST-National Vulnerability Database:
Mitre Common Vulnerabilities and Exposures (CVE) entries:,

Since the patches for Bash started being released last week, three new Bash vulnerabilities have been identified: – These are new since I sent out the email last week. If systems were patched on Friday, they are probably vulnerable now unless the new patches have been applied!

US Computer Emergency Readiness Team (US-CERT) Advisory:

Vulnerability Note VU#252743 GNU Bash shell executes commands in exported functions in environment variables: – This is a very good article describing affected systems

NIST-National Vulnerability Database:,,

Mitre Common Vulnerabilities and Exposures (CVE) entries:, – Another terrific resource for understanding and testing for the 5 vulnerabilities identified so far and instructions on patching a number of operating systems.

Additional articles and advisories from vendors:

Novell/SUSE SLES 11 is affected:

Updated Knowledgebase article listing vulnerabilities in VMware products: KB 2090740  – This list is long as VMware maintains dozens of Linux based virtual appliances.

Palo Alto Networks Security Advisory:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s