The Shellshock security vulnerability is not just a Linux issue

Oct 10, 2014

The media have been calling this “as bad as Heartbleed”, whilst some have been saying it’s much worse. It’s difficult to tell who is right, but one thing we can be sure about is that we have another serious vulnerability on our radar, called Shellshock and we need to think and act fast.

So what is Shellshock? Shellshock (also known as Bash Bug) could have a significantly damaging impact on any Bash-enabled server, desktop, or device. The root of the problem is with an application called Bash which runs on a variety of Linux platforms. If you are a Windows user and think that Shellshock will not affect you- think again! Linux systems are more widespread than you think. Many of the web applications that we use online every day run on Linux, not forgetting the servers they are hosted on. Oh, and did I mention Mac OS X users? They are also vulnerable, so whichever operating system you are running, there are things you can do to protect your data.

The issue itself is provided by a very common and well-known application which provides a ‘shell’, which could allow an attacker to execute various operating system commands and gain access to the file system.

What has shocked many experts is that the defect has remained unnoticed in the software for 22 years! The vulnerability allows an attacker to modify files they should not be able to. Exploiting this, they can modify authentication mechanisms, run various programs on the remote machine and otherwise gain unauthorised access to sensitive information.

The impact is serious. The vulnerability allows to the attacker executing arbitrary operating system commands on the remote vulnerable system (so-called: remote code execution flaw). This vulnerability gives them full control of the remote machine. Many applications and web services are in danger. For example, OpenSSH (which is a default for remotely accessing and administering Linux servers) uses Bash and therefore could be under attack, as do a variety of web server applications, DHCP servers (these are the servers that give your computers the details they need to communicate with the other computers in local network and the Internet), and so on. Note that we are talking about over 500 million web servers on the Internet today. Many embedded devices are also in danger, such as CCTV cameras, routers, industrial control systems and IoT devices.

Am I vulnerable? Shellshock requires that your system must be running the affected versions of Bash and to be accessible to the attacker remotely so they can attempt to poke it and inject arbitrary commands. The identified flaw exists in all versions up to 4.3 which is, unfortunately, also very widespread. It could be the case that they need to authenticate to a shell before they can do anything (which lowers the impact).

How can we ensure that our systems are protected? Many vendors are providing patches for this very quickly, so make sure that you do some basic housekeeping for your system by ensuring you have the most up to date operating systems and security patches. If you are an Apple user, there are patches available for you to download, howeverit is not a part of your usual system update and has to be installed manually. Some Linux systems are naturally immune (e.g. Debian based systems using Dash instead of Bash) but it is always good to double check. Check with your IT team that your Linux systems have been properly patched.

If you have any queries about Shellshock, or want to conduct a penetration test to check that your security settings are robust, get in touch with us on 0870 600 1667 or email

Penetration tester at work