Shellshock (software bug)
Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.
A simple Shellshock logo, similar to the Heartbleed bug logo. | |
| CVE identifier(s) | CVE-2014-6271 (initial), CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 |
|---|---|
| Date discovered | 12 September 2014 |
| Date patched | 24 September 2014 |
| Discoverer | Stéphane Chazelas |
| Affected software | Bash (1.0.3–4.3) |
On 12 September 2014, Stéphane Chazelas informed Bash's maintainer Chet Ramey of his discovery of the original bug, which he called "Bashdoor". Working with security experts, Mr. Chazelas developed a patch (fix) for the issue, which by then had been assigned the vulnerability identifier CVE-2014-6271. The existence of the bug was announced to the public on 2014-09-24, when Bash updates with the fix were ready for distribution.
The bug Chazelas discovered caused Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environment variables. Within days of its publication, a variety of related vulnerabilities were discovered (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187). Ramey addressed these with a series of further patches.
Attackers exploited Shellshock within hours of the initial disclosure by creating botnets of compromised computers to perform distributed denial-of-service attacks and vulnerability scanning. Security companies recorded millions of attacks and probes related to the bug in the days following the disclosure.
Because of the potential to compromise millions of unpatched systems, Shellshock was compared to the Heartbleed bug in its severity.