The 1.bash shell is the default shell command interpreter for most Linux distributions, but a recent burst of bash shell has been exploited.
2. If bash is the default system shell, network attackers can attack servers and other Unix and Linux devices by sending Web requests, secure shells, Telnet sessions, or other programs that use bash to execute scripts. The vulnerability is comparable to the Heartbleed vulnerability in scope, and may not be Heartbleed high in dangerous degree.
3. The vulnerability affects GNU Bash v1.14 to v4.3, and major Linux distributions such as Red Hat Enterprise Linux (v4 to 7), Fedora, CentOS, Ubuntu, and Debian have all been patched. But the patch hasn't completely fixed the problem. You can enter the command env x= ' () {:;}; echo vulnerable ' bash-c "echo this is a test" to test your system for a vulnerability that would return "vulnerable this is a test" if a vulnerability exists.
4. My own test is as follows, but unfortunately my machine also has a loophole, because my bash version is 4.1.2:
[Email protected] ~]$ env x='() {:;}; Echo Vulnerable'Bash-c"echo This is a test"Vulnerable This isa test[[email protected]~]$/bin/sh--VERSIONGNU Bash, version4.1.2(1)-release (x86_64-redhat-linux-GNU) Copyright (C) theFree software Foundation, Inc.license GPLv3+: GNU GPL version3or later //gnu.org/licenses/gpl.html> This isFree software; redistribute it. There isNO WARRANTY, to the extent permitted by law. [[Email protected]~]$
Bash shell vulnerabilities and testing