Skip to main content

Security Update on CVE-2014-6371 Shellshock

As many of you have heard, there are open Bash vulnerabilities, CVE-2014-6271, and CVE-2014-7169. The common vectors for arbitrary code execution from these CVEs include: bash exposed via certain web applications and dhcpcd scripts. Additionally, SSH accounts restricted by the command= option in their ssh key can bypass that restriction.

By default, CoreOS is not configured in a way that would allow these issues to be exploited. Regardless, we are working to further protect our users by incorporating the fixes, once released and verified, into a new build. We were prepared to roll out a new release yesterday (September 24th, 2014), but the original fix for the CVEs proved to be insufficient by the developers.

If you are running containers on top of CoreOS that utilize a vulnerable bash and that bash is exposed to the open internet via a mechanism like CGI, then you will need to update your containers accordingly.

Versions of CoreOS with vulnerable bash

All CoreOS channels including, Stable, Beta, and Alpha ship with bash 4.2.20 which is affected by CVE-2014-6271 and CVE-2014-7169.

$ bash --version
GNU bash, version 4.2.20(1)-release (x86_64-cros-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

When will this be fixed?

CoreOS is actively tracking the open CVEs and is prepared to release 410.1.0 (Stable), 440.2.0 (Beta), and an Alpha release once CVE-2014-6371 and CVE-2014-7169 have been patched upstream and verified by the CoreOS team.

What can I do to protect myself?

  • Disable the use of dhcpcd on untrusted networks. dhcpcd is not the default DHCP mechanism on CoreOS.
  • Disable the use of the SSH option AcceptEnv in sshd.conf and ssh keys restricted by a command option in authorized_keys.
  • Update any containers which expose Bash to the open internet via a mechanism like CGI
  • If you have disabled automatic application of updates be sure to monitor your systems for new updates and reboot your machines accordingly.