Serious Vulnerability in bash

Posted on Sep25

A serious vulnerability has been found in bash, one of the core tools found on almost every Unix, Linux, and Mac OS X system. The vulnerability affects most versions up to and including 4.3, except certain patched versions like 3.2.52(1).

You should assume that your server has an exploitable version of bash, unless you are certain that it has been patched.

This vulnerability can allow remote attackers to run arbitrary shell commands on your server, and potentially allow them full access to your data or control over your server.

We strongly recommend that you check which version of bash your sites’ host is running, and upgrade if necessary. In many cases, you will need to contact your hosting provider, and ask them to verify and update bash for you.

How do I know if my server is at risk?

One way to check whether you are running a vulnerable version of bash is to run the following commands on your server’s command line:

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

If either command outputs the word “busted”, then you are likely running a vulnerable version of bash, and should contact your hosting provider as soon as possible.

If you’re using VaultPress Premium or the Security Plan, we’re scanning your server for vulnerable versions of bash. If we detect a vulnerability, we will attempt to notify you via email. You will then need to upgrade to a fixed version of bash.

How can I upgrade my version of bash?

Many of our users will need to contact your hosting providers in order to upgrade bash. If you have access to your server’s command line, you can upgrade to the latest available version by running the following commands:

For servers running Ubuntu or Debian:

apt-get update && apt-get install --only-upgrade bash

For servers running CentOS:

yum upgrade bash

If your server is not listed, or you’re not comfortable using the command line, please contact your hosting provider for assistance.

If you are able to upgrade bash, please try running the test commands again to help verify that your bash installation is no longer subject to this vulnerability.

Need help?

Due to the nature of this vulnerability, you should contact your hosting provider if you need any assistance in upgrading to a fixed version of bash.

As always, feel free to drop us a line if we can help!

About Chris

I work and play at WordPress.com, and spend my offline time drinking chai tea and running around in parks.
This entry was posted in General, Security. Bookmark the permalink.