This article documents a current event. Information may change rapidly and initial news reports may be unreliable. The latest updates to this article may not reflect the most current information. (September 2014) |
Shellshock is the name of a serious security vulnerability in BASH, a command interpreter used by many web servers running Apache and/or SSH. The vulnerability, was publicly disclosed on 24 September 2014 by Huzaifa Sidhpurwala of Red Hat.[1] It has been added to the United States National Vulnerability Database with identifier CVE-2014-7169.[2]
Attack details
From NIST:
"GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution." [2]
References
- ^ Huzaifa Sidhpurwala (2014-09-24). "Bash specially-crafted environment variables code injection attack". Red Hat.
- ^ a b "Vulnerability Summary for CVE-2014-7169". National Vulnerability Database. United States Department of Homeland Security. Retrieved 25 September 2014.