Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [shellshock]

Shellshock is a series of security vulnerabilities in bash, starting with (CVE-2014-6271) which allows arbitrary code execution from environment variables.

Shellshock is vulnerability CVE-2014-6271 in bash (other shells are not affected), reported by Stéphane Chazelas in September 2014.

Bash imports function definitions from the environment when it starts; the vulnerability is due to executing arbitrary code from specially-crafted environment variables.

Common remote execution vectors include CGI scripts, OpenSSH forced commands, and some DHCP servers. Local execution vectors include bash scripts executed with elevated privileges or with environment values obtained from untrusted sources; sudo is not affected because it filters out environment entries that look like bash exported functions.

In the wake of the initial discovery, several more vulnerabilities were discovered in the same part of the bash code.

To fix these vulnerabilities, upgrade bash to a version that fixes CVE-2014-6271 and other vulnerabilities. Apply your distribution's security updates as usual. For the rare users who install bash from source, patches have been provided for all affected versions.

31 questions
249
votes
5 answers

What does env x='() { :;}; command' bash do and why is it insecure?

There is apparently a vulnerability (CVE-2014-6271) in bash: Bash specially crafted environment variables code injection attack I am trying to figure out what is happening, but I'm not entirely sure I understand it. How can the echo be executed as…
jippie
  • 13,756
  • 10
  • 44
  • 64
124
votes
2 answers

When was the shellshock (CVE-2014-6271/7169) bug introduced, and what is the patch that fully fixes it?

Some context about the bug: CVE-2014-6271 Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes. Current bash versions use an environment …
Deer Hunter
  • 1,866
  • 3
  • 20
  • 26
69
votes
3 answers

how can shellshock be exploited over SSH?

Apparently, the shellshock Bash exploit CVE-2014-6271 can be exploited over the network via SSH. I can imagine how the exploit would work via Apache/CGI, but I cannot imagine how that would work over SSH? Can somebody please provide an example how…
Martin Vegter
  • 69
  • 66
  • 195
  • 326
19
votes
1 answer

How was the Shellshock Bash vulnerability found?

Since this bug affects so many platforms, we might learn something from the process by which this vulnerability was found: was it an εὕρηκα (eureka) moment or the result of a security check? Since we know Stéphane found the Shellshock bug, and…
Faheem Mitha
  • 34,649
  • 32
  • 119
  • 183
11
votes
4 answers

Legacy Debian versions and Bash Shellshock

We are running Debian Etch, Lenny and Squeeze because upgrades have never been done in this shop; we have over 150 systems running various Debian versions. In light of the "shell shock" of this week, I assume I need to upgrade bash. I do not know…
DavidH
  • 111
  • 1
  • 1
  • 4
9
votes
1 answer

Why does bash even parse/run stuff put in the environment variable?

The shellshock bug in bash works by way of environment variables. Honestly I was suprised by the fact that there is such a feature like: "passing on of function definitions via env vars" Therefore this question while maybe not perfectly formulated…
humanityANDpeace
  • 13,722
  • 13
  • 61
  • 107
9
votes
2 answers

Why is the ability to define functions in an environmental variable not a security risk in itself?

As I understand it, generally it is considered safe to let anyone provide information that will be stored in an environmental variable. The shellshock vulnerability is an issue here because it means that code at the end of a function definition…
Reed Espinosa
  • 285
  • 1
  • 5
8
votes
2 answers

How to apply the fix for CVE-2014-6271 bash vulnerability on cygwin?

I would like to find out how do I apply the fix for this vulnerability on cygwin. I am running the CYGWIN_NT-6.1 MYHOSTNAME 1.7.30(0.272/5/3) 2014-05-23 10:36 x86_64 Cygwin of cygwin on Windows 7. #bash -version GNU bash, version…
Raza
  • 4,059
  • 7
  • 28
  • 33
7
votes
1 answer

What is the severity of the new bash exploit (shellshock)?

I've been reading up about the remote bash exploit and was wondering how severe it is and if I should be worried, especially since a new exploit has been found after the patch release. What does this mean for me as someone who uses Debian as my main…
stanri
  • 986
  • 1
  • 10
  • 22
7
votes
1 answer

How does `env X='() { (a)=>\' sh -c "echo date"` work?

After reading about the latest bash vulnerability, I was wondering how Tavis Ormandy's exploit works. How does (a)=>\ work? He posted: The bash patch seems incomplete to me, function parsing is still brittle. e.g. $ env X='() { (a)=>\' sh -c "echo…
wonderingnewbie
  • 213
  • 1
  • 4
6
votes
3 answers

Do I have to reboot after updating bash to avoid shellshock?

I've updated my systems to the latest versions of bash (Fedora: bash-4.2.48-2.fc19.x86_64 and CentOS: bash-4.1.2-15.el6_5.2.x86_64) Is merely updating enough to avoid the exploit or do I need to then close all terminals, restart all services, or…
drs
  • 5,363
  • 9
  • 40
  • 69
6
votes
5 answers

How do I update bash on EOL Ubuntu versions?

I.e. can I find a close enough package in the next nearest distro? Or is it complicated, and compiling from source is better? Or can I grab it from debian? (This question is about at least Ubuntu 11.10 and 12.10; I'm betting others are hitting this,…
Darren Cook
  • 984
  • 2
  • 9
  • 19
5
votes
2 answers

Did the shellshock bash fix break basic command line tools like echo and cat?

I used to be able to do things like: X=123 cat <
Abdullah Jibaly
  • 615
  • 2
  • 6
  • 9
5
votes
3 answers

CVE-2014-6271 Bash Vulnerability example

I am trying to understand what could be the security concern of CVE-2014-6271 and all the links I see just gives me the below command. env x='() { :;}; echo vulnerable' bash -c "echo this is a test" If I get the output as, vulnerable this is a…
Ramesh
  • 38,687
  • 43
  • 140
  • 215
4
votes
1 answer

Point of the semicolon in this shellshock attack

I was reviewing a shellshock attack and didn't understand this piece of code: curl -v http://localhost/cgi-bin/shellshock.cgi -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " The part that I don't understand…
henry
  • 43
  • 5
1
2 3