Shellshock (software bug)

"Bash bug" redirects here. For the related bug reporting tool, see Bash (Unix shell) § Bug reporting. For the arcade skill game, see Bashy Bug.

Shellshock
A simple Shellshock logo, similar to the Heartbleed bug logo.
CVE identifier(s)CVE-2014-6271 (initial),
CVE-2014-6277,
CVE-2014-6278,
CVE-2014-7169,
CVE-2014-7186,
CVE-2014-7187
Date discovered12 September 2014; 10 years ago (2014-09-12)
Date patched24 September 2014; 10 years ago (2014-09-24)
DiscovererStéphane Chazelas
Affected softwareBash (1.0.3–4.3)

Shellshock, also known as Bashdoor,[1] is a family of security bugs[2] in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access[3] to many Internet-facing services, such as web servers, that use Bash to process requests.

On 12 September 2014, Stéphane Chazelas informed Bash's maintainer Chet Ramey[1] of his discovery of the original bug, which he called "Bashdoor". Working with security experts, Mr. Chazelas developed a patch[1] (fix) for the issue, which by then had been assigned the vulnerability identifier CVE-2014-6271.[4] The existence of the bug was announced to the public on 2014-09-24, when Bash updates with the fix were ready for distribution.[5]

The bug Chazelas discovered caused Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environment variables.[1][6] Within days of its publication, a variety of related vulnerabilities were discovered (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187). Ramey addressed these with a series of further patches.[7][8]

Attackers exploited Shellshock within hours of the initial disclosure by creating botnets of compromised computers to perform distributed denial-of-service attacks and vulnerability scanning.[9][10] Security companies recorded millions of attacks and probes related to the bug in the days following the disclosure.[11][12]

Because of the potential to compromise millions of unpatched systems, Shellshock was compared to the Heartbleed bug in its severity.[3][13]

  1. ^ a b c d Perlroth, Nicole (25 September 2014). "Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant". New York Times. Retrieved 25 September 2014.
  2. ^ Although described in some sources as a "virus," Shellshock is instead a design flaw in a program that comes with some operating systems. See => Staff (25 September 2014). "What does the "Shellshock" bug affect?". The Safe Mac. Archived from the original on 29 September 2014. Retrieved 27 September 2014.
  3. ^ a b Seltzer, Larry (29 September 2014). "Shellshock makes Heartbleed look insignificant". ZDNet. Retrieved 29 September 2014.
  4. ^ Florian Weimer (24 September 2014). "Re: CVE-2014-6271: remote code execution through bash". oss-sec (Mailing list). Retrieved 1 November 2014.
  5. ^ Florian Weimer (24 September 2014). "Re: CVE-2014-6271: remote code execution through bash". oss-sec (Mailing list). Retrieved 1 November 2014.
  6. ^ Leyden, John (24 September 2014). "Patch Bash NOW: 'Shell Shock' bug blasts OS X, Linux systems wide open". The Register. Retrieved 25 September 2014.
  7. ^ Cite error: The named reference ITN-20140929 was invoked but never defined (see the help page).
  8. ^ Cite error: The named reference zdnet-betterbash was invoked but never defined (see the help page).
  9. ^ Cite error: The named reference Wired was invoked but never defined (see the help page).
  10. ^ Cite error: The named reference IT-20140926-JS was invoked but never defined (see the help page).
  11. ^ Cite error: The named reference NYT-20140926-NP was invoked but never defined (see the help page).
  12. ^ Cite error: The named reference businessweek was invoked but never defined (see the help page).
  13. ^ Cerrudo, Cesar (30 September 2014). "Why the Shellshock Bug Is Worse than Heartbleed". MIT Technology Review. Retrieved 1 October 2014.