aiScaler and the Bash Shellshock vulnerability
Posted by Max Robbins on September 26th, 2014On Wednesday, September 24th 2014, a critical Bash vulnerability known as CVE-2014-6271, CVE-2014-7169 and Shellshock has been discovered, which allows attackers to execute arbitrary code. The prerequisite is having an access to Bash. You can read more about the vulnerability in the original article: https://access.redhat.com/articles/1200223
Updating Bash
sudo apt-get update sudo apt-get install bash
If you have updated Bash on September 25th, we recommend you to repeat the process, because the initial patch was incomplete. We also recommend to restart the server after the update.
Am I vulnerable?
rm -f echo && env -i X='() { (a)=>\' bash -c 'echo id'; cat echo
If you are vulnerable you will get
bash: X: line 1: syntax error near unexpected token `=' bash: X: line 1: `' bash: error importing function definition for `X' uid=0(root) gid=0(root) groups=0(root)
If you are not vulnerable you will get
bash: X: line 1: syntax error near unexpected token `=' bash: X: line 1: `' bash: error importing function definition for `X' id cat: echo: No such file or directory