Rowanto Luo


Just another blog. or log.


CVE-2014-6271: what is it and how to check if you're vulnerable and fix it

What is actually CVE-2014-6271?

Actually redhat did a very good job describing it: https://access.redhat.com/articles/1200223
From what I've understood, it's basically a bug that allows you in bash to do some other command after the function declaration in a variable.

Let's change the example a little bit, so that it's more easier to read:

 env your_function='() { echo "your function do something";}; echo "but I can still add other command after your function"' bash -c "echo this is a test"

If you system is affected with the bug, if you run that command, you will see the text "but I can still add other command after your function".

So what did we do here actually? We're just basically just declaring some function, but the problem is that other commands can be added after the function, and they will be executed. That's why we're getting the text that we echo'ed after the function declaration, if the system is not vulnerable, there will be an error when the code is executed.

Since almost everybody use bash, this is easily a critical bug. But don't worry though, Debian and CentOs have already released a fix, so we should be able to fix it very quickly.

# Debian User
sudo apt-get update && sudo apt-get install bash

# Centos User
sudo yum update bash

Just try to run the script again after the bash upgrade, there should be an error.