The Redhat security group fixed shellshock vulnerability in several steps and each step have its own CVE assigned: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187.
Security impact and attack vectors' investigation is published on Redhat Security Blog.
The fixed version of bash are released by the OS vendors:
- Red Hat: CVE-2014-6271 Bash: specially-crafted environment variables can be used to inject shell commands.
- Red Hat: CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271) .
- CentOS: Critical update for Bash released today.
- CloudLinux: Update for Bash remote vulnerability CVE-2014-6271.
- CloudLinux: Update for bash vulnerability CVE-2014-7169.
- Debian: DSA 3032-1, CVE-2014-6271: GNU Bash through 4.3 processes trailing strings after function.
- Debian: DSA-3035-1, CVE-2014-7169: GNU Bash through 4.3 bash43-025 processes trailing strings
- Ubuntu: USN-2362-1: Bash vulnerability.
- Ubuntu: USN-2363-2: Bash vulnerability.
Even though this vulnerability is not in a product of Parallels, it is highly recommended to install the update because it is possible to exploit the system over the network.
Please use the automated script to find out if installed version of Bash is vulnerable: BashCheck
NOTE: Recent versions of Bash 4.3 [Ubuntu 14.x, Debian Jessie] produce a false positive warning in the check for CVE-2014-7186 (redir_stack bug).
$ sh bashcheck Vulnerable to CVE-2014-6271 (original shellshock) Vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 6671 Segmentation fault: 11 bash -c "true $(printf '< /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)
$ sh bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs
To fix a vulnerable version, follow the instructions for updates installation from OS vendors' announcements. For RHEL and CloudLinux systems please use 'yum update bash' to get the latest version.
- Affected system components and possible workarounds for the additional security issue CVE-2014-7169 are described in the Redhat article Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271). For more information and affected components, see https://access.redhat.com/articles/1200223