Over the past few days there has been much discussion relating to a security-update for the GNU Bourne Again Shell (bash).
The security hole relates to a little-used feature of bash which allows functions to be exported from a shell to the processes it executes as children. This feature is rarely used so it may come as a surprise to shell-users.
The way this works is that a function is first defined, then exported with the export -f built-in. At this point the function is made available to child processes, via their environment:
$ function testing { echo "Hello" }
$ export -f testing
$ bash -c 'testing'
Hello
$ bash -c 'env | grep testing'
BASH_FUNC_testing()=() { echo "Hello"The use of the environmental variables is the reason why this feature has become the target of security advisories. The standard CGI protocol relies on webservers passing arguments to the scripts they execute via the environment, and that can lead to function definitions being read and executed.
The net result is that we end up in a situation where a remote attacker can make a request to a CGI-script, written in bash, by making a simple HTTP request looking something like this:
GET /path/to/bash.cgi HTTP/1.0
Referer:() { :; }; echo badness
If you have any pure-bash CGI scripts they can definitely be exploited by requests similar to that example, although there seems to be some debate about how vulnerable PHP, Perl, and Ruby CGI-processes are. However given that CGI scripts may launch commands themselves, using the inherited environment they’ve received it is worth being paranoid and assuming the worst.
The good news is that there have been several patches released which fix the obvious holes, and no doubt there will be further changes in the future now that bash is seeing additional attention.
If you’re a Brightbox client you shouldn’t worry, as all our internal systems have now been patched. As a mitigating factor it has to be noted that the default shell for most of our distribution images is not set to bash
Upgrading should be a simple matter of following the established security update procedure for your distribution, so for example an Ubuntu host could be updated via apt-get update; apt-get upgrade and a CentOS distribution via yum upgrade.