in Security, Wheezy

How to detect if your server is vulnerable to the Shellshock bug and fix it

Shellshock vulnerability is a security bug affecting Unix/Linux operating system through the bash shell. Disclosed on September 24 2014, it has been rated 10 (the maximum score) for severity by NIST. Debian installs bash by default so you’re probably affected!

To check if your server is vulnerable, run this command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the results look like this you are affected:

[email protected]:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

However if you get these results you are not affected:

[email protected]:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Wheezy

If you are running the latest Debian release, the solution is simple, just update the system:

apt-get update
apt-get upgrade

Squeeze

If you are running squeeze you need to add the LTS apt source and update bash:

1. Append LTS to apt sources (pico /etc/apt/sources.list)

deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free

2. Update apt

apt-get update

3. Upgrade bash to the latest version

apt-get install -t squeeze-lts --only-upgrade bash

Older releases

If you are using older release you should update to wheezy.

Write a Comment

Comment

  1. also you can just upgrade the bash with the small command such as “apt-get upgrade bash” no need to upgrade whole system if not needed 🙂