"GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution."
Keep an eye on "Fixed In Version: "
https://bugzilla.redhat.com/show_bug.cgi?id=1141597Check `bash --version' Is it one of these?
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271All versions up to 4.3.
I see that CGI is effected. My understanding is that you have to have CGI enabled and have a CGI script callable from the web to be vulnerable. Aside from using CGI, I'm concerned that my http server install, hosting provider, vm image, etc. may have put a helpful stats collection CGI script in a well known location.
Personally, I did not need CGI so I commented out the CGI in my configuration files and renamed the module on disk and finally re-started the server watching for errors. I'm just going to wait for the official fixed version and update and verify with `bash --version`.
Just for the sake of discussion (this is not be perfect; no warranty!), what do you think?
locate mod_cgi.so
locate mod_cgid.so
** Check your web server, there may be multiple config scripts... either grep for the load module command or rename the module. I'm choosing to rename..
Here is an Apache example, comment out "#LoadModule cgi_module modules/mod_cgi.so" and other rules that reference it in config files like /etc/httpd/conf/httpd.conf then:
sudo su
vi /etc/httpd/conf/httpd.conf
mv /usr/lib/httpd/modules/mod_cgi.so /usr/lib/httpd/modules/_bash-bug_mod_cgi.so
tail -f /var/log/httpd/error_log&
/etc/init.d/httpd restart
Light httpd:
sudo su
vi /etc/lighttpd/lighttpd.conf
mv /usr/lib/lighttpd/mod_cgi.so /usr/lib/lighttpd/mod_cgi_bash-bug_mod_cgi.so
/etc/init.d/lighttpd restart
less /var/log/lighttpd/error.log