New ‘Shellshock’ bash bug affects 500 million computers, servers and devices.

Bash (the Bourne Again SHell), the default command line interpreter found in Unix operating systems, has been found to be vulnerable, rendering an estimated 500 million machines open to attack.

Experts warn that the CVE-2014-6271 vulnerability, which has been dubbed Shellshock, is far more serious than the Heartbleed flaw discovered in the OpenSSL cryptographic library earlier this year.

Many other operating systems, including Linux and Apple’s Mac OS X, are built on Unix, and the Shellshock vulnerability affects web servers and apps worldwide. Apache servers are at particular risk of compromise, as are OpenSSH and some DHCP clients.

The Shellshock vulnerability, discovered by Stephane Chazelas of Akamai, relates to how environmental variables are processed. In many common configurations the vulnerability is exploitable over the network, meaning Shellshock can be used to take control of many systems that use Bash, with potentially catastrophic results. NIST has rated Shellshock’s severity as 10 (high).

Some patches have already been issued but security researchers warn they are incomplete and do not secure systems fully.

Users are advised to continue updating their systems as new patches are issued and, as ever, organisations are urged to conduct regular penetration tests.


No Responses