I have patched my system however CVE-2014-7169 claims that the fix for 6271 was

Question

I have patched my system however CVE-2014-7169 claims that the fix for 6271 was incomplete. Sure enough if I run the command below:

env X='() { (a)=>' sh -c "echo date"; cat echo

It appears that function parsing is still executing code as I do not get an error like I am supposed to. So if 6271 allowed an attacker to execute arbitrary commands at will, does this mean that after being patched you are still vulnerable per 7169 but not to the same extent? If so, does this mean an attacker can still exploit the bug but running arbitrary commands is no longer an option? How much more "secure" is this? Can someone provide an example?

Explanation / Answer

They're the same vulnerability. CVE-2014-7169 was simply a bug found in the original patch for CVE-2014-6271 or "shell shock".

CVE-2014-7169 allows us to side-step the patch released for BASH that was rolled out alongside the original bug disclosure for CVE-2014-6271.

To test if your system is still vulnerable after applying the patch for CVE-2014-6271, simply type:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>' bash -c "echo date"; cat /tmp/echo

If you can still pass characters from your environment variables into other environments, your version of BASH is vulnerable. If so, you should see the date appear on your screen, and a file called "echo" will be created in your /tmp/ directory.

To update BASH type the following, depending on your Linux distro:

yum update bash

or

apt-get update bash

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects