CVE-2014-6271 – Vulnerability in Bash

There’s a very nasty vulnerability in Bash that allows code execution via remote attackers:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

To test if you’re vulnerable, simply execute this:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output includes the word “vulnerable,” then your system is vulnerable.

Amazon will be doing a massive restart of all EC2 instances this weekend (starting Friday and running through Sunday) to patch all affected systems. Managed services including RDS, ElastiCache, and RedShift will also be affected.

Instance types that will NOT be impacted:

  • R3
  • T1
  • T2
  • M2
  • HS1

AWS plans to stage the reboot process so that each region will have only one AZ patched each day. Additionally, AWS states that it will not patch instances in multiple regions at the same time within the same AWS account.

More info here:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s