A very serious security vulnerability (vulnerability reference https://access.redhat.com/security/cve/CVE-2014-6271) has been found in the Linux official built-in bash. Hackers can take advantage of this bash vulnerability to fully control the target system and launch an attack, in order to avoid your Linux server is affected, we recommend that you complete the patch as soon as possible, the repair method is as follows, please understand!
Special reminder: Linux official has given the latest solution, has resolved the bypassed bugs, we recommend that you complete the bug patch as soon as possible.
Linux Bash output results see date in the fix was successful
"Software and systems that have been identified for successful use"
All Linux operating systems that install the GNU Bash version less than or equal to 4.3.
"Vulnerability description"
The flaw stems from the special environment variables that you created before the bash shell you called, which can contain code and be executed by bash.
"Vulnerability Detection Method"
Vulnerability Detection command:
The code is as follows |
Copy Code |
Env-i x= ' () {(a) =>\ ' bash-c ' echo date '; Cat Echo Pre-Repair output: [root@localhost]# env-i x= ' () {(a) =>\ ' bash-c ' echo date '; Cat Echo BASH:X: Line 1:syntax error near unexpected token ' = ' Bash:x: Line 1: ' Bash:error importing function definition for ' X ' Sun Sep 19:02:00 CST 2014 |
The last row appears as a date, indicating a risk vulnerability to the system.
Patching Solution
CentOS: (Final Solution)
Yum Clean All
Yum Makecache
YUM-Y Update Bash
Ubuntu: (Final Solution)
Apt-get Update
Apt-get-y Install–only-upgrade Bash
Debian: (Final Solution)
Apt-get Update
Apt-get-y Install–only-upgrade Bash
After repair:
[root@localhost]# env-i x= ' () {(a) =>\ ' bash-c ' echo date '; Cat Echo
Date
Sun Sep 19:02:00 CST 2014
If you still see both date and date, the description is in effect, but the current bash hasn't been updated yet.
[root@localhost]# exit
Logout
When you exit and then log on, the date is not displayed.
[root@localhost]# env-i x= ' () {(a) =>\ ' bash-c ' echo date '; Cat Echo
Date
Cat:echo:No such file or directory
Eventually, only the date does not appear, which means that bash cannot be executed.