Wikipedia

Shellshock (software bug): Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
rvv
 
(2 intermediate revisions by 2 users not shown)
Line 16:
}}
 
'''Shellshock''', also known as '''Bashdoor''',<ref name="NYT-20140925-NP">{{cite news |last=Perlroth |first=Nicole |title=Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant |url=https://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html |date=25 September 2014 |work=[[New York Times]] |access-date=25 September 2014 }}</ref> is a family of [[security bug]]s<ref name="TSM-20140927">Although described in some sources as a "virus," Shellshock is instead a design flaw in a program that comes with some operating systems. See => {{cite web |author=Staff |title=What does the "Shellshock" bug affect? |url=http://www.thesafemac.com/what-does-the-shellshock-bug-affect/ |date=25 September 2014 |work=The Safe Mac |access-date=27 September 2014 |archive-date=29 September 2014 |archive-url=https://web.archive.org/web/20140929053202/http://www.thesafemac.com/what-does-the-shellshock-bug-affect/ |url-status=dead }}</ref> in the [[Unix]] [[Bash (Unix shell)|Bash]] [[shell (computing)|shell]], the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to [[arbitrary code execution|execute arbitrary command]]s and gain unauthorized access<ref name="ZDN-20140929">{{cite web |last=Seltzer |first=Larry |title=Shellshock makes Heartbleed look insignificant |url=httphttps://www.zdnet.com/article/shellshock-makes-heartbleed-look-insignificant-7000034143/ |date=29 September 2014 |work=[[ZDNet]] |access-date=29 September 2014 }}</ref> to many Internet-facing services, such as web servers, that use Bash to process requests.
 
On 12 September 2014, Stéphane Chazelas informed Bash's maintainer Chet Ramey<ref name="NYT-20140925-NP" /> of his discovery of the original bug, which he called "Bashdoor". Working with security experts, Mr. Chazelas developed a [[Patch (computing)|patch]]<ref name="NYT-20140925-NP" /> (fix) for the issue, which by then had been assigned the vulnerability identifier ''{{CVE|2014-6271}}''.<ref name="seclist-q3-650">{{cite mailing list|url=http://seclists.org/oss-sec/2014/q3/650 |mailing-list=oss-sec |title=Re: CVE-2014-6271: remote code execution through bash|author=Florian Weimer|date=24 September 2014|access-date=1 November 2014}}</ref> The existence of the bug was announced to the public on 2014-09-24, when Bash updates with the fix were ready for distribution.<ref name="seclist-q3-666">{{cite mailing list|url=http://seclists.org/oss-sec/2014/q3/666|mailing-list=oss-sec |title=Re: CVE-2014-6271: remote code execution through bash|author=Florian Weimer|date=24 September 2014|access-date=1 November 2014}}</ref>
Line 107:
 
===CVE-2014-7186===
Florian Weimer and Todd Sabin found this bug ({{CVE|2014-7186}}),<ref name="zdnet-betterbash">{{cite web|last1=Vaughan-Nichols|first1=Steven|title=Shellshock: Better 'bash' patches now available|url=httphttps://www.zdnet.com/article/shellshock-better-bash-patches-now-available-7000034115/|publisher=ZDNet|access-date=29 September 2014|date=27 September 2014 }}</ref><ref name="lcamtuf-oct-1" /> which relates to an [[buffer overflow|out-of-bounds memory access error]] in the Bash parser code.<ref>{{cite web |author=Staff |title=National Cyber Awareness System Vulnerability Summary for CVE-2014-7186 |url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186 |date=29 September 2014 |work=[[National Institute of Standards and Technology]] |access-date=1 October 2014 }}</ref>
 
An example of the vulnerability, which leverages the use of multiple "<<EOF" declarations (nested [[Here document|"here documents"]]):
Retrieved from "https://en.wikipedia.org/wiki/Shellshock_(software_bug)"