# Linux Bash security flaw - September 2014 Sep 24, 2014 threads: * * * * * Stories: * * * * To test if machine is vulnerable, execute at the command prompt: `env x='() { :;}; echo vulnerable' bash -c "echo this is a test"` On my Digital Ocean-hosted Ubuntu server, the system returned: `vulnerable this is a test` I updated Bash by executing: sudo apt-get update && sudo apt-get install --only-upgrade bash Then after executing `env x='() { :;}; echo vulnerable' bash -c "echo this is a test"` again, the system returned: bash: warning: badvar: ignoring function definition attempt bash: error importing function definition for `badvar' bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test But as of Sep 24, 2014, the update is only a partial fix. I tested the servers that host my other sites, and those servers did not show the vulnerability. I would not be able to update those servers, since my accounts exist on shared servers. Web server CGI apps seem to be vulnerable. MeFi [comment](http://www.metafilter.com/143038/Running-a-server-Drop-everything-and-update-it-now#5747836)

... here's something from my web server logs: `"GET / HTTP/1.0" 200 616 "() { :; }; ping -c 11 209.126.230.74"` (this from a full ipv4 netblock scan being run by a security researcher). If my web server had been serving its homepage from a cgi script that invoked bash anywhere at all, at any point during the construction of the homepage, the consequence would have been a series of pings to the researcher's server. If you can run ping, you can run almost anything you like, including downloading a rootkit & going to town on the local server.

#linux - #security markdown=yes