Bash Vulnerability AKA SHELLSHOCK

Aidan | Security | 25 September

What we know:

There is a critical vulnerability that affects the GNU Bourne Again Shell (Bash), used in many *nix based operating systems. The vulnerability relates to how environment variables are processed and allows for Remote Code Execution, allowing an unauthenticated attacker to run commands on vulnerable systems. Web servers should be considered high priorities for patching. Security researchers are actively investigating the issue, and are highlighting the ease with which it can be exploited.

What we don’t yet know:

If other operating systems based on *nix platforms are also vulnerable, such as Mac OS X and Android, as well as embedded devices (such as “Internet-of-things” devices).

The detail:

This vulnerability has the ID CVE-2014-6271, and has been given an Exploitability score of 10.0 – the same as Heartbleed.

There are patches available for many of the major Linux distributions, such as:


You can verify if a system is vulnerable by entering the following command:

<em>env x='() { :;}; echo vulnerable' bash -c "echo this is a test"</em>


If the system is vulnerable, the output will be:

<em>this is a test</em>


An unaffected (or patched) system will output:

 <em>bash: warning: x: ignoring function definition attempt</em>
<em> bash: error importing function definition for `x'</em>
<em> this is a test</em>


Swing into Spring in Buffalo