Shellshock a.k.a. Bashbleed

September 25, 2014

What is Shellshock?

On 24/09/2014, a security vulnerability was published as CVE-2014-6271 (also Shellshock or Bashbleed). The vulnerability is in the command line software bash which is used in practically all Linux systems as the default shell. Due to an error when parsing environment variables, it is possible to execute arbitrary commands. The vulnerability can under certain circumstances be exploited by an external attacker.

Update 29/09/2014: The gap is already exploited for automated attacks, shown through the observation of Honeypot systems.

Impact

The danger is that bash is used implicitly in many places, whereby external attack opportunities over the Internet exist. Most obviously are attacks over web servers that offer CGI scripts. Running CGI scripts includes invoking the bash, whereby user inputs are entrained as environment variables. Therefore, it is possible for an attacker – under certain circumstances – to execute own commands on the vulnerable web server and thus to take over this web server!

More information about checks and rectification can be found here.

Contact

For more information or assistance with checks please contact: bashbleed@sba-research.org

Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

News