It has been suggested that this article be merged with Shellshock vulnerability. (Discuss) Proposed since September 2014. |
This article documents a current event. Information may change rapidly and initial news reports may be unreliable. The latest updates to this article may not reflect the most current information. (September 2014) |
Shellshock is one of the names of a serious security vulnerability in BASH, a command interpreter used by many web servers running Apache and/or SSH. Attackers may execute arbitrary commands on affected servers. It has been added to the United States National Vulnerability Database with identifier CVE-2014-7169.[1]
An initial patch to mitigate the issue was found to be incomplete.[2]
The Register calls the bug "Heartbleed"-grade, and says PCs and home routers may be affected, too.[3]
Also referred to as:
- Bash
- Bashbug
- Bashbleed
- Shellshock
- Bashpocalypse
- Bashole
- Badbash
Various Logos
- Known Logos
-
BASHINGA!
-
Bashbleed
-
Shellshock
-
Shellshock
-
Shellshock
-
Shellshock
-
Bashpocalypse
Attack details
From NIST:
"GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution." [1]
References
- ^ a b "Vulnerability Summary for CVE-2014-7169". National Vulnerability Database. United States Department of Homeland Security. Retrieved 25 September 2014.
- ^ Huzaifa Sidhpurwala (2014-09-24). "Bash specially-crafted environment variables code injection attack". Red Hat.
- ^ "Patch Bash NOW: 'Shell Shock' bug blasts OS X, Linux systems wide open". The Register. 24 September 2014. Retrieved 25 September 2014.