Help Center

Knowledge Base Home

Call Support

Search the Knowledge Base

Skip to end of metadata
Go to start of metadata


Netmail Secure, all versions


A security vulnerability in the GNU Bourne Again Shell (Bash) command-line shell dubbed ‘Shellshock,’ may allow attackers to execute code on Linux, Unix, and Mac OS X, leaving systems running those operating systems open to exploits against Web servers. The initial patch for the vulnerability was incomplete and still allows for attacks to succeed, according to US-CERT alert CVE-2014-7169.

The bug is related to how Bash processes environmental variables passed either by the OS or by a program calling a Bash-based script. If Bash is configured as the default system shell, network–based attackers can use it against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other code that use Bash to execute scripts. The vulnerability affects versions 1.14 through 4.3 of GNU Bash.


Patches have been issued for affected versions by the major Linux distribution vendors, including:

•Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution

•CentOS (versions 5 through 7)

•Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS


•Mac OS X 10.9.4 ("Mavericks") uses a vulnerable version of Bash not yet patched by Apple, who just issued a command line tools update.


Although Bash is often considered a local shell, it is often used by Apache servers to execute CGI scripts for dynamic content (through mod_cgi and mod_cgid).  The implication is that a specially-designed web request targeting vulnerable CGI applications may be able to launch code on the server. Similar attacks are possible via OpenSSH which could even allow restricted SSH sessions to bypass controls and execute code on the server.  

Determining Vulnerability

It is easy to determine if an unpatched Linux or Unix system is vulnerable. Open a command line and type the following:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


If the system is vulnerable, the output returned will be the lines shown below (refer to the screenshot):


this is a test


A system that is patched or not vulnerable to the exploit will return the following:

 bash: warning: x: ignoring function definition attempt

 bash: error importing function definition for `x'

 this is a test


The current global fix for the vulnerability is to update the version of Bash running on the system so a patched version of the Bash shell is in place (the Netmail Secure distribution is SUSE Linux Enterprise Server 11 SP1), so an updated Bash rpm should be installed on vulnerable machines as quickly as possible. With that said, to ensure the security of Netmail customer environments, we are currently testing a patch that was released for the OS to make sure that no issues are associated with applying it to Netmail Secure nodes. This page will be updated with more information as it becomes available.

It is unlikely that a Netmail secure box can be exploited via the Bash bug. The Netmail code does not run CGI scripts, and it is equally unlikely that a child process will be created prior to authentication. Since it is not possible for anyone except an administrator to remotely connect to a Secure node and access the Bash shell to execute arbitrary commands, Netmail Secure is not likely at risk unless you allow SSH access from remote connections or a web server that runs server side scripting.  A vulnerability only exists if unauthorized persons can remotely access the Netmail Secure server and do so in a way that allows execution of Bash commands.


Updating Bash on Netmail Store

We recommend an upgrade to the latest version of Bash to close the security hole.

On the cluster services node (CSN), the platform distribution must first be unlocked, and then relocked after the update.
Instructions for removing CSN version lock in order to update bash are provided below (tested in-house). You will need root privileges to do this:

1. Disable the version lock by editing
/etc/yum/pluginconf.d/versionlock.conf and setting enabled = 0.

2. Update bash, e.g.: yum -y update bash

3. Enable the version lock by editing
/etc/yum/pluginconf.d/versionlock.conf and setting enabled = 1.

4. Re-write the versionlock list by running rpm -qa | grep -v caringo >/etc/yum/pluginconf.d/version


Updating Bash on Netmail Secure

A Bash update is available for Netmail Secure via the built-in auto-update functionality.  Please contact Support if this feature is not working for you.


Help us improve!
Is this article helpful?
Is it well written?
Is the content complete?