What is Shellshock?
The ‘Bash bug’, most commonly known as Shellshock is typically located within the command-line shell that is used within many Mac, Linux and UNIX operating systems, which can leave websites and devices powered by these operating systems open to risk.
How does it work?
Bash supports the export of not just shell variables but also shell functions to other bash instances, via the process environment to (indirect) child processes. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.
An environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands.
How does it affect me?
The security flaw itself resides on many Linux, UNIX and Mac operating systems. This leaves devices powered by these systems vulnerable, allowing malicious codes to be uploaded onto your computer. In essence, this means hackers could quite easily take control of your machine.
I use Windows – is this vulnerable to Shellshock?
Windows systems usually do not come installed with GNU Bash (this is the vulnerable in it).
However, Windows is still vulnerable as Bash can still be installed with other programs, therefore users of Windows will still need to remain vigilant to this vulnerability.
Which versions of Bash are affected?
Every version of Bash (up to version 4.3) is vulnerable to Shellshock, therefore we’re looking at 25 years of Bash installs.
Is this in relation to Heartbleed?
No. Heartbleed stole information about you. Shellshock on the other hand, is far more sophisticated as it can take over a host computer and gain control. So if you’re reading an article over the internet, Shellshock hackers could make you vulnerable.
So, is Shellshock actually bigger than Heartbleed?
The impact of Shellshock has been huge and tremors have been felt across the technology world. This new vulnerability in the Bash shell has caused shockwaves, leaving no software safe on any Mac, Linux and UNIX systems, as a minimum.
As identified by The Register, security experts have said that as with Heartbleed, Shellshock is a pervasive flaw that could potentially take years to fix properly, with the onus being on webmasters and system admins rather than the end user.
What can be done to resolve this?
There is a huge rush of security experts across the world looking for a solution to fix this.
For users who use a version of Ubuntu, a patch is available from USN-2363-1 and for those users of Debian, the patch is available from DSA-3035-1.
If your operating system releases a new software patch or update, it is important to install this, as this will reduce the chance of you becoming a victim to Shellshock.
What’s the damage?
So far, thousands of servers have been compromised via Shellshock and some have been used to bombard web firms with irrelevant data.
Which companies / organisations have come out and reacted to Shellshock?
Companies that have reacted to Shellshock by releasing fixes and patches include Apple, Amazon and Google.
Additionally, the US Government have decided this flaw is serious, giving it a 10 out of 10 for severity.
What about Access Manager?
Access Manager uses Bash for Ubuntu and Debian; they have both been updated and will be available as an operating system update. For further information, please click here.
The Shellshock Q&A
What is Shellshock?