How to battle Shellshock and update Bash on Ubuntu 10.04 (Lucid)

On September 24th, 2014, a vulnerability in the Unix Bash Shell was discovered. Shellshock is a mistake in the code of Bash, which is typically installed on non-Windows operating systems such as Mac, Unix and Linux. The bug allows hackers to send commands to a computer without having admin status, letting them plant malicious software within systems. It was rated 10/10 for severity by the US government and affects as many as 500 million servers, routers and switches around the globe.

This is a big deal. If you are on a Managed Hosting subscription with companies like Acquia, Heroku, Mediatemple or Rackspace, chances are that they've already done the patching for you.

If you're running your own server or running servers not supported by Managed Services (like me on Rackspace), you're stuck patching this yourself.

If you are running newer versions of Ubuntu, chances are that most of the guides you'll find on the net are accurate and work. However, I spent several hours trying to find a solution that actually worked with older LTS versions (specifically Lucid 10.04 LTS).

Here is the step by step guide that I have put together to show how I determined that my Ubuntu 10.04 systems on Rackspace were vulnerable, ran the tests to find out which exploits applied, and then update bash.

Checking the bash version as reported by command line

bash -version

GNU bash, version 4.1.5(1)-release (x86_64-pc-linux-gnu)

Checking the Unix version as reported by command line

lsb_release -a

Distributor ID: Ubuntu

Description: Ubuntu 10.04 LTS

Release: 10.04

Codename: lucid

The above output confirms the version because I have catered this guide specifically to older versions. It may still work on newer ones but I have not tested that.

Test for Exploit 1 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271)

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

vulnerable

this is a test

If you see “vulnerable” in the output , then Bash is vulnerable.

Test for Exploit 2 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169)

env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo ; rm -f echo

bash: X: line 1: syntax error near unexpected token =' bash: X: line 1:'

bash: error importing function definition for `X'

Mon Sep 29 16:34:31 UTC 2014

If you see the current date, then Bash is vulnerable.

Test for Exploit 3

env -i X=' () { }; echo hello' bash -c 'date'

Mon Sep 29 16:34:43 UTC 2014

If you see “hello” in your output, then “Bash” is vulnerable.

Conducting steps required to update Bash to a new safe version

sudo apt-get update
sudo apt-get install --reinstall bash

Reading package lists... Done

Building dependency tree

Reading state information... Done

Suggested packages:

bash-doc

Recommended packages:

bash-completion

The following packages will be upgraded:

bash

1 upgraded, 0 newly installed, 0 to remove and 133 not upgraded.

Need to get 703kB of archives.

After this operation, 61.4kB disk space will be freed.

Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main bash 4.1-2ubuntu3.4 [703kB]

Fetched 703kB in 1s (583kB/s)

(Reading database ... 38079 files and directories currently installed.)

Preparing to replace bash 4.1-2ubuntu3 (using .../bash4.1-2ubuntu3.4amd64.deb) ...

Unpacking replacement bash ...

Processing triggers for man-db ...

Setting up bash (4.1-2ubuntu3.4) ...

update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7 /builtins.7.gz (builtins.7.gz) in auto mode.

Reran exploit 1 test, achieved success

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

this is a test

No longer is vulnerable because of the output.

Reran exploit 2 test, achieved success

env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo ; rm -f echo

date
cat: echo: No such file or directory

No longer is vulnerable because of the output.

Reran exploit 3 test, no change, but was never vulnerable

env -i X=' () { }; echo hello' bash -c 'date'

Mon Sep 29 16:47:21 UTC 2014

No difference acknowledged but this particular exploit never affected my version.

As a note, at least in my scenario, running the:

bash -version

command didn't end up returning any different of a value after patching for some reason. However, running the same exploit tests again and seeing that the results are different tells me the patch applied successfully.

Shellshocker.net and Digital Ocean have some guides on how to patch other UNIX variants, including Ubuntu. I found, however, that older versions of Ubuntu, such as 10.04LTS don't support the following command as expected.

sudo apt-get update && sudo apt-get install --only-upgrade bash

It gives an error such as:

E: Sense only is not understood, try true or false

It was at this point that I sought out alternatives and was able to write out this guide. Hope this helps!