Shellshock - not vulnerable with bash version 4.1?

Question

We have several Amazon servers. It has bash version 4.1.2. Kaspersky claims that all bash versions up to 4.3 are unsafe. When I do this test...

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

... it returns: hello, and even though Lifehacker says that I should get an error back: bash: warning: x: ignoring function definition attempt bash....., I guess the simple "hello" is good enough. Still I'm in doubt.

Can you explain what info I can trust?

I'd suspect that Amazon has patched their standard AMIs with a updated version of Bash... — Andrew Williams, Oct 09 '14 at 14:35
All branches since 2.5 (2.5, 3.0, 3.1, 4.0, 4.1, 4.2, 4.3) have been patched — Stéphane Chazelas, Oct 09 '14 at 14:35
There's a selection of one-liners at shellshocker.net that will check your version of bash. — garethTheRed, Oct 09 '14 at 14:50
@AndrewWilliams - we have some older servers running, and for those bash is not updated. We have to do that manually. — SPRBRN, Oct 09 '14 at 15:03

score 2 · Accepted Answer · edited Apr 13 '17 at 12:36

The version number of a program is not a good indication of the security issues that it has. When a security hole is found, it is standard practice to patch just this hole, and not to upgrade the program to a later version which may turn out to be incompatible in subtle cases.

Thus seeing that you have bash 4.1 does not give any information as to whether it is vulnerable to Shellshock. Use a test such as the one you've already found. Since x='() { :;}; echo vulnerable' bash -c 'echo hello' does not print vulnerable, you are not vulnerable to the Shellshock bug. The fact that you don't see an error message either indicates that your copy of bash also has patches to fix related bugs found in the wake of Shellshock. The article mentioning these error messages is out of date: with the latest fixes, this command just prints hello.

Shellshock - not vulnerable with bash version 4.1?

1 Answers1

Linked

Related