Shellshock - Am I vulnerable and what do I do?

Thu 25 September 2014


Shellshock is the latest Heartbleed level vulnerability to be discovered. It's a pretty long running exploit in how bash handles environment variables. It's a good thing to fix asap, especially if you're running any old services like telnet, ftp or an old version of apache.

Is my server vulnerable?

Run this.

env x='() { :;}; echo vulnerable' bash -c 'echo test'

If you see:


You should patch immediately.

However if you see.

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

You should be okay.

How to fix?


yum update bash


sudo apt-get update && sudo apt-get install bash


Unless your running OSX as a critical server somewhere remote, I'd hold off the solution for now and wait for Apple to distribute an update. If you need to update.

  1. Install homebrew

  2. Run

    brew update
  3. Then run

    brew update bash
  4. Backup your existing vulnerable bash

    cp /usr/local/bin/bash /usr/local/bin/bash_old
  5. Then symlink to the new brew installed bash

    ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /usr/local/bin/bash

Finally reboot!

Note: These patches are coming out fast and... incomplete. So keep an eye on these solutions as time goes on as I fear these patches might not solve the whole problem.

Category: Devops Tagged: security vulnerability