Search The Archives

Friday, September 26, 2014


Alert (TA14-268A)

GNU Bourne-Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169)

Original release date: September 25, 2014 | Last revised: September 26, 2014

The UK’s national cyber-security response team, Cert-UK, has issued an alert to all government departments stating that the Shellshock flaw carried the “highest possible threat ratings… for both impact and exploitability”. The US National Cyber Security Division gave it a score of 10 out of 10 for severity and a complexity rating of low – meaning it is easy for hackers to exploit. Cert-UK added that it should be “assumed” that many government computers and other devices would be vulnerable to the bug, adding: “This will inevitably include organisations that are part of the critical national infrastructure.” Many industrial control systems, from power plants to traffic light systems, rely on Bash software to function. 

Systems Affected

  • GNU Bash through 4.3.
  • Linux and Mac OS X systems, on which Bash is part of the base operating system.
  • Any BSD or UNIX system on which GNU Bash has been installed as an add-on.
  • Any UNIX-like operating system on which the /bin/sh interface is implemented as GNU Bash.


A critical vulnerability has been reported in the GNU Bourne-Again Shell (Bash), the common command-line shell used in many Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1](link is external). The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.


GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [23]
Critical instances where the vulnerability may be exposed include: [4(link is external)5(link is external)]
  • Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn GNU Bash subshells, or on any system where the /bin/sh interface is implemented using GNU Bash.
  • Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities. This data path is vulnerable on systems where the /bin/sh interface is implemented using GNU Bash.
  • Allow arbitrary commands to run on a DHCP client machine.


This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers who can provide specially crafted environment variables containing arbitrary commands to execute on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.


Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.
Many UNIX-like operating systems, including Linux distributions and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [6].
US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit.



  • September 25, 2014 - Initial Release
  • September 26, 2014 - Minor Revisions

No comments :

Post a Comment