A simple command you can execute to check your machine.
About the security flaw
From RedHat’s report on the topic:
Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, Bash has evolved from a simple terminal based command interpreter to many other fancy uses.
…
the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the Bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents. As a result, this vulnerability is exposed in many contexts
Here’s another article from Ars Technica.
How to tell if you’re vulnerable?
(Adapted from RedHat)
To check if your system is vulnerable, cut and paste the following onto the command line
env x='() { :;}; echo you are vulnerable' bash -c "echo "
If the system reports “you are vulnerable” — you guessed it, you are vulnerable. Here’s what it looks like on my Macbook Pro:
If instead, nothing prints out, or you get a warning message, your system is most likely protected against this exploit. Here’s the example output from a secured machine:
What to do?
If the machine in question is a server, get the security patch right away. If the machine is your personal laptop, for instance, the risk is lower. Most unix-based distributions have issued patches and published upgrade instructions. As of this writing Apple has not yet issued a patch for MacOS.
For more information about security, look for emergency locksmith services.
Helpful Smurf
September 26, 2014
Cutting and pasting your command didn’t work. Try this instead:
env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
Tucker Balch
September 26, 2014
Thanks Smurf. Cutting and pasting should work now. What happened was that wordpress was somehow bastardizing the raw text by converting the quotes into different symbols. I found a way to prevent it from doing that. So it is working for now.