Save up to 30% on Dedicated Servers – Chat Now!

A new vulnerability, known as “Shellshock”, was recently discovered within Bash. This security hole needs to be patched immediately to avoid potential exploits of your Linux server. Our Fully Managed cPanel customers have already had this patch applied since yesterday. An additional patch will likely be required to completely resolve “Shellshock” but that additional patch is not yet available. Once it is, we will apply it for our fully managed customers immediately and provide an update to our self-managed customers on the steps they need to take.

In the interest of getting to the point quickly of how to best fix the issue, we will dive right into how you can test your server for the vulnerability and patch it as best as can be done for the time being. If you want more information on the vulnerability itself here are a few articles with more information.

https://www.cnet.com/news/bigger-than-heartbleed-bash-bug-could-leave-it-systems-shellshocked/
https://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html?m=1
https://money.cnn.com/2014/09/24/technology/security/bash-bug/index.html

Test:

Test for the vulnerability by running the following command at shell:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks similar to the following:

vulnerable
this is a test
then your system is vulnerable.

Update Bash:

If you’re using CentOS 5/6/7, run the following command:

yum clean all
yum update bash

If bash doesn’t get updated, check /etc/yum.repos.d/CentOS-Base.repo and ensure it is default and not Hivelocity Mirrors (not updated, working on resolution).

Manual Build of Bash

For Cent4 or Debian Squeeze or older versions of software you may need to compile bash from source. Use the following command script:

The script below does the following:

  • Downloads bash
  • Downloads latest patches for bash
  • Extracts bash
  • Applies the patches to the source code
  • Builds and installs bash into /bin/bash
mkdir /src
cd /src
wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
for i in $(seq -f "%03g" 0 25); do wget https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done;
./configure --prefix=/ && make && make install

Additional information and updates:

National Vulnerability Database

Please note: The original patch (shown above) was thought to have fixed the issue CVE-2014-6271 but is now known to be incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. However, according to Red Hat, customers should upgrade to the version of Bash which contains the fix for CVE-2014-6271 (which was done yesterday for managed clients), and not wait for the new, yet to be released, patch which fixes CVE-2014-7169. CVE-2014-7169 is a less severe issue and patches for it are being worked on at the moment.

To summarize, CVE-2014-6271 does fix the initial low access complexity exploit. But it was incomplete and thus, a new exploit, assigned CVE-2014-7169 is out and that is currently being patched and will be available through repos shortly. This is a high access complexity exploit so it’s not as serious or widespread as the initial exploit.

 

Need More Personalized Help?

If you have any further issues, questions, or would like some assistance checking on this or anything else, please reach out to us from your my.hivelocity.net account -> Support and provide your server credentials within the encrypted field for the best possible security and support.

If you are unable to reach your my.hivelocity.net account or if you are on the go, please reach out from your valid my.hivelocity.net account email to us here at: support@hivelocity.net. We are also available to you through our phone and live chat system 24/7/365.

 

Additional Links:

Looking for more information on CentOS, Red Hat, or CloudLinux? Search our Knowledge Base!

In need of more great content? Interested in cPanel, Private Cloud, or Edge Computing? Check out our recent posts for more news, guides, and industry insights!

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Articles

Screenshot of the myVelocity Device Details screen
Hivelocity News

myVelocity: Updates and Improvements

At Hivelocity we’re always working to improve our customers’ experience with our dedicated server hosting solutions. Part of what sets us apart from the competition is this devotion to our customers and to providing solutions which are powerful but easy to use. One way we achieve this level of convenience …

Continue read
Icon of two hands shaking representing the Hivelocity Customer Referral Program
Hivelocity News

Earn $$$ With the Hivelocity Customer Referral Program

Want to earn a $100 account credit for telling others about Hivelocity? With our new Hivelocity Customer Referral Program, you can earn account credits just by helping others in your network to sign up for one of our server plans. It’s a true win-win! Your friends and family get the …

Continue read
Hivelocity Announces Acquisition of Heficed
Hivelocity News

Hivelocity Acquires UK-Based Company Heficed

Hivelocity, Inc, industry-leading IaaS and Bare Metal Cloud provider, is pleased to announce our acquisition of UK-based network infrastructure solutions and cloud provider, Heficed. Under the terms of this new deal, Heficed.com, its customers, select staff, and their data center locations will all fold into the Hivelocity brand.  “This acquisition …

Continue read