How To Patch the ShellShock bash Bug on Older or Beta AWS Linux AMI’s
erics, Posted October 1st, 2014 at 3:07:49pm
This is the standard upgrade method for AWS Linux AMI’s:
|
1 2 |
yum clean all yum update bash |
Or use this for the version 2012.09, 2012.03, or 2011.09 repositories:
|
1 2 |
yum clean all yum --releasever=2013.03 update bash |
For older AWS Linux AMI’s, you may not be able to use the standard upgrade method as described in this link:
https://alas.aws.amazon.com/ALAS-2014-419.html
These are the steps needed to manually patch bash 4.1:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
env x='() { :;}; echo vulnerable' bash -c "echo hello" cp /bin/bash /bin/bash.old bash --version mkdir /usr/local/src/bashfix cd /usr/local/src/bashfix yum -y install patch byacc bison autoconf wget https://ftp.gnu.org/pub/gnu/bash/bash-4.1.tar.gz tar xvzf bash-4.1.tar.gz cd bash-4.1 vim bash-multipatch.sh chmod 755 bash-multipatch.sh ./bash-multipatch.sh cat patchlevel.h ./configure && make && make test echo $? ls -l bash* ls -l /bin/bash* cp -f bash /bin/bash ls -l /bin/bash* env x='() { :;}; echo vulnerable' bash -c 'echo hello' bash -version ps -ef | grep bash lsof | grep bash | grep deleted env var='() { ignore this;}; echo vulnerable' /proc/947/exe -c /bin/true service mysqld restart |
Here is the bash-multipatch.sh script you will need for bash 4.1. Be sure to check the ftp.gnu.org patch directories and update the lastpatch variable to match the latest patch number! Edit this for other bash versions like 3.2…
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
#!/bin/sh # bash-multipatch.sh # A quick script file for downloading an applying multiple patches when manually compiling GNU bash on Linux # Written (mostly) by Steve Cook with (a little) help from Steve Jenkins # This really seems like a lame way to have to do this, but it works. Use at your own risk. # You can edit these variables # Uncomment below for bash version 4.1: GNU bash, version 4.1.2(1)-release (i386-redhat-linux-gnu) version="4.1" nodotversion="41" lastpatch="15" # Uncomment below for bash version 3.2: GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu) #version="3.2" #nodotversion="32" #lastpatch="55" # You probably do not want to edit anything below this line for i in `seq 1 $lastpatch`; do number=$(printf %02d $i) file="https://ftp.gnu.org/pub/gnu/bash/bash-${version}-patches/bash${nodotversion}-0$number" echo $file curl $file | patch -N -p0 done |
All credit goes to Steve Jenkins for these two posts which I read carefully and worked through the steps from:
http://stevejenkins.com/blog/2014/09/how-to-manually-update-bash-to-patch-shellshock-bug-on-older-fedora-based-systems/
http://stevejenkins.com/blog/2014/09/shellshock-warning-even-after-patching-your-old-vulnerable-bash-binary-could-be-resurrected-from-memory/
These are the links to the bash repos I needed:
https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/
https://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/
Categories: How-To's, Technology AMI, AWS, AWS Linux, bash, Beta, bug, Linux, patch, ShellShock
One Reader Comment
René said on October 9, 2014, 11:37 am:
Thanks for this post, really helped me out when i saw that one of my machines is Amazon Linux Image 1 (beta). Worked like a charm and i really liked the “security” measures (im not the fan of stupid c&p).