Shellshock – Bash Vulnerability

September 30, 2014

A serious bug in Bash was discovered last week. According to multiple sources this bug has been in Bash since 1992. Shellshock allows an attacker to execute arbitrary code in Bash by setting specific environment variables. Two CVE numbers have been assigned: CVE-2014-6271and CVE-2014-7169.

If you aren’t a Linux user you may not be familiar with Bash. Bash is a command shell used to issue commands to the computer via a text terminal. It is the default shell on Linux and Mac computers.

How does this affect me?

• If you are a Mac user, your machine is vulnerable to this bug. Apple has released a patch HERE.
• More than half of all web servers are Linux or Unix based. This means that an attacker can take over a web site and use it to infect the machines of users that visit the site.

Mac users: make sure that your version of Mac OSX has been patched.

Linux users: you will need to update Bash on your machine. the links below are for some of the more common distributions:

Redhat

Ubuntu

NOTE: at this time iOS and Android are not considered vulnerable, unless they have been jail-broken and have had Bash installed on them. Many terminal apps for both iOS and Android are based on Bash.

More information can be found at the links below:

https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellshock+/18707

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

http://krebsonsecurity.com/2014/09/shellshock-bug-spells-trouble-for-web-security/