Wikipedia

Shellshock (software bug): Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Tjt263 (talk | contribs)
147 edits
Updated affected versions in the infobox to include up to v4.3, as determined personally and supported by secondary sources (e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
mNo edit summary
Line 17:
'''Shellshock''', also known as '''Bashdoor''',<ref name="NYT-20140925-NP">{{cite news |last=Perlroth |first=Nicole |title=Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant |url=https://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html |date=25 September 2014 |work=[[New York Times]] |accessdate=25 September 2014 }}</ref> is a family of [[security bug]]s<ref name="TSM-20140927">Although described in some sources as a "virus," Shellshock is instead a design flaw in a program that comes with some operating systems. See => {{cite web |author=Staff |title=What does the "Shellshock" bug affect? |url= http://www.thesafemac.com/what-does-the-shellshock-bug-affect/|date=25 September 2014 |work=The Safe Mac |accessdate=27 September 2014 }}</ref> in the [[Unix]] [[Bash (Unix shell)|Bash]] [[shell (computing)|shell]], the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to [[arbitrary code execution|execute arbitrary command]]s and gain unauthorized access<ref name="ZDN-20140929">{{cite web |last=Seltzer |first=Larry |title=Shellshock makes Heartbleed look insignificant |url=http://www.zdnet.com/shellshock-makes-heartbleed-look-insignificant-7000034143/ |date=29 September 2014 |work=[[ZDNet]] |accessdate=29 September 2014 }}</ref> to many Internet-facing services, such as web servers, that use Bash to process requests.
 
On 12 September 2014, Stéphane Chazelas informed Bash's maintainer Chet Ramey <ref name="NYT-20140925-NP" /> of his discovery of the original bug, which he called "Bashdoor". Working with security experts, he developed a [[Patch (computing)|a patch]]<ref name="NYT-20140925-NP" /> (fix) for the issue, which by then had been assigned the vulnerability identifier ''{{CVE|2014-6271}}''.<ref name="NYT-20140925-NP" /><ref name="seclist-q3-650">{{cite web|url=http://seclists.org/oss-sec/2014/q3/650|title=oss-sec: Re: CVE-2014-6271: remote code execution through bash|publisher=|author=Florian Weimer|work=[[Seclists.org]]|date=24 September 2014|accessdate=1 November 2014}}</ref> The existence of the bug was announced to the public on {{date|2014-09-24}} when Bash updates with the fixpatch were ready for distribution.<ref name="seclist-q3-666">{{cite web|url=http://seclists.org/oss-sec/2014/q3/666|title=oss-sec: Re: CVE-2014-6271: remote code execution through bash|publisher=|author=Florian Weimer|work=[[Seclists.org]]|date=24 September 2014|accessdate=1 November 2014}}</ref>
 
The bug Chazelas discovered caused Bash to unintentionally execute commands when the commands are concatenated to the end of [[subroutine|function definitions]] stored in the values of [[environment variable]]s.<ref name="NYT-20140925-NP" /><ref name="TR-20140924">{{cite web |last=Leyden |first=John |title=Patch Bash NOW: 'Shell Shock' bug blasts OS X, Linux systems wide open |url=https://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ |work=[[The Register]] |date=24 September 2014 |accessdate=25 September 2014}}</ref> Within days of its publication a variety of related vulnerabilities were discovered (''{{CVE|2014-6277|2014-6278|2014-7169|2014-7186|2014-7187|leadout=and}}''). Ramey addressed these with a series of further patches.<ref name="ITN-20140929"/><ref name="zdnet-betterbash"/>
Retrieved from "https://en.wikipedia.org/wiki/Shellshock_(software_bug)"