SecureState Blog

Read SecureState's award winning blog.

Impacts expected for corporations and consumers


A new vulnerability identified in the Bash command interpreter was announced yesterday. If successfully exploited, this vulnerability (nicknamed Shellshock) could enable an attacker to run arbitrary commands on the vulnerable system. Bash is used on Macs, Linux (including Red Hat) and UNIX based systems; the vulnerability has existed in Bash since version 1.14.0, which was released over a decade ago. As a result, any system using Bash is potentially vulnerable.

The best way to test whether or not your system is vulnerable to Shellshock would be to open up a Bash shell (i.e. command prompt), and run the following command:

env X=”() { :;} ; echo busted” /bin/bash -c “echo completed”

If the command prompt returns the word “busted,” then your system contains this vulnerability.

Potential Impact

From an attacker perspective, there are both consumer and corporate attacks that could be performed. For example, there have been DHCP implementations that have been found to be vulnerable to this attack. This is because the IP address that the client receives from the server is stored in an environmental variable and executed by Bash. As a result, a vulnerable system would simply need to connect to a network with a malicious DHCP server on it and request a new IP address. As soon as the request is fulfilled, the user’s machine would be compromised. In this regard, if a user simply connected their system to a comprised wireless network, they could be fully compromised.

From a corporate perspective there are many attack vectors that have already been identified and I suspect that new attack vectors will come to light within the next few weeks. For example, in many cases administrators will give users a limited set of commands that they can run from an SSH connection. However, if the server contains this vulnerability, the user could break out of this limited session and run additional commands on the underlying operating system.

In other cases, web servers could use CGI Scripts, which store commands in local environmental variables. Many times the settings of these variables could be manipulated based on user supplied data (i.e. parameters, headers, etc.). As soon as these commands are executed, the attacker’s commands would be executed on the vulnerable systems. The truth is, there are many potential attack vectors for this vulnerability. Any time data that a user can manipulate is stored in an environmental variable and sent to the Bash command interpreter, the potential for command execution is present.


At the time of this blog, Red Hat is aware that a patch to remediate CVE-2014-6271 or Shellshock is needed, but no such patch is available. However, they have provided a workaround based on IP Table string matching.

Systems running Mac OSX also contain this vulnerability, and patches have been released for these operating systems. It is possible to remediate this vulnerability on Mac systems by recompiling Bash, but this involves a little more work. I suspect that due to the severity of this vulnerability, Apple will release a patch for this vulnerability rather soon, but until then, it is recommended to avoid untrusted networks, such as open wireless networks. This includes free Wi-Fi at restaurants and coffee shops, as well as cellphone hot spots.

All other Linux and UNIX based systems will likely have applicable patches applied to them in due time. Some distributions, such as Ubuntu and Debian, already have patches available. Continue to check vendor websites for patches, and apply them as soon as possible.

Some general guidelines include:

- Limit who is able to access web applications using CGI scripts

- Remove untrusted accounts from SSH servers (even if they have a limited functionality)

- Segment vulnerable systems from the rest of the network.


Register now for our webinar: Preventing Shellshock! and receive a copy of the recorded presentation and slide deck!