Shellshock on CentOS

Shellshock, also known as Bashdoor, is a family of security bugs (with 6 CVE's filed at the time of this page) in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

See this New York Times Story concerning the history of bash and Shellshock.

Six separate CVE's have been assigned to shellshock:

• CVE-2014-6271

• CVE-2014-6277

• CVE-2014-6278

• CVE-2014-7169

• CVE-2014-7186

• CVE-2014-7186

1. Versions of CentOS impacted

Every version of CentOS that was released before 31 September 2014 was impacted by the Shellshock issue, as were all versions of Bash in Linux since sometime in 1992 when the issue was first introduced into the bash source code.

This issue will not be mitigated in versions of CentOS that are past their End of Life, so CentOS-2.1, CentOS-3 and CentOS-4 are vulnerable and are not going to be fixed by the CentOS Project. You should not be using any of these versions as this is not the first security issue in all three and they are no longer maintained.

At the time of this Article (October 6th, 2014), all active versions of CentOS (CentOS-5, CentOS-6, and CentOS-7) with all published updates installed have mitigated all 6 of the shellshock CVE's listed above. The minimal version of bash required to fix the issue is listed below:

1.1. CentOS-5

bash-3.2-33.el5_10.4.<arch>.rpm

Note: CentOS-5.11 release included an older release of bash on the ISOs and in the updates directory is bash-3.2-33.el5_11.4.<arch>.rpm.

1.2. CentOS-6

bash-4.1.2-15.el6_5.2.<arch>.rpm

1.3. CentOS-7

bash-4.2.45-5.el7_0.4.<arch>.rpm

* in all of the above, <arch> could be x86_64, i386, or i686 depending on the architecture you have installed (32-bit or 64-bit, etc).

2. Mitigation on CentOS Linux

The mitigation mechanism for all versions of CentOS Linux is the same. Install all updates with the command:

yum upgrade

You can check that you are OK with the command:

rpm -q bash

If the resultant bash version is at (or higher) than the version listed above, then you are running a bash that has the 6 CVE's listed on this page mitigated.

For example, on a CentOS-7 machine it looks like this:

[jhughes@T520 ~]$ rpm -q bash

bash-4.2.45-5.el7_0.4.x86_64

So, since I have the migiated bash installed, I am covered for the listed shellshock issues.

3. Mitigation in CentOS Linux images

Official CentOS images have a date on them and any CentOS image with a date that is on or after 20140926 (26 September 2014) will have the latest bash installed.

If you get your image from another vendor, the way to check for shellshock mitigation is still to use the command:

rpm -q bash

and to compare the result to the versions above.

You will need to contact your image provider to get newer images with updated versions of bash as required, but you should be able to manually install an RPM from the CentOS Mirrors as a last resort while waiting on a new image.

First see if yum has working updates and do: yum upgrade bash

If that does not work, you can go to the root of the mirrors and then drill down to centos/<version>/updates/<arch> and download the required bash for your CentOS Linux version.

4. More reading on Shellshock

• Security Experts Expect Shellshock Software Bug in Bash to Be Significant

• Wikipedia Shellshock (Software Bug)

• Red Hat Shellshock Article

5. CentOS Announce List

All CentOS security updates are released via the CentOS Announce Mailing list, so if you want to know when an update is released then subscribing to the mailing list is the way to get it as soon as it is released.