Securing your CentOS 6 / FreePBX server against Shellshock Bash Vulnerability

Introduction

A very serious new security vulnerability was discovered on September 24, 2014. It was called Shellshock or The Bash Bug. The vulnerability was in the Bash package, and it allows attackers to execute malicious scripts on your server.

Since Bash is used on CentOS Linux distribution, which comes with FreePBX, your FreePBX system is most likely vulnerable to the Shellshock bug.

For more details about the bug you can check CVE-2014-6271 and CVE-2014-7169.

Is my system vulnerable to Shellshock?

You can check if you system is vulnerable to Shellshock by running this command:

env VAR='() { :;}; echo My system is vulnerable to Shellshock!!' bash -c "echo Testing Bash"

If you see the output below, then your current version of Bash can be attacked with Shellshock and should be updated right away:

My system is vulnerable to Shellshock!!
Testing Bash

Otherwise, if you don't see My system is vulnerable to Shellshock!! output, then your system is safe.

Updating Bash using Yum on CentOS 6 / FreePBX

First you can try running the following command to update Bash automatically using Yum:

yum update bash

Fixing the Shellshock bug automatically using Yum may not work if you are using an older version of FreePBX Distro. In that case you can fix the Shellshock vulnerability manually.

Updating Bash manually on CentOS 6 / FreePBX

For 64-Bit systems:

cd /usr/src/
wget http://mirror.centos.org/centos-6/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm
rpm -Uvh bash-4.1.2-15.el6_5.2.x86_64.rpm

For 32-Bit systems:

cd /usr/src/
wget http://mirror.centos.org/centos-6/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.i686.rpm
rpm -Uvh bash-4.1.2-15.el6_5.2.i686.rpm

Conclusion

You can run the command again to check if your system is still vulnerable to Shellshock and the output should not contain My system is vulnerable to Shellshock!!

Make sure to update Bash on all your servers to keep them secure!

Note: (September 29, 2014) At this time, only an incomplete fix for the bug is released. This post will be updated when the full fix is available for Centos 6.

Try this tutorial on a Cloud VoIP Server.

Includes 512MB RAM, 20GB SSD Disk, and Unlimited Transfer for $20/mo! Learn more