Shellshock vulnerability roils Linux server shops

The GNU Bash shell can provide an entry point for launching more severe attacks, researchers find

Shellshock vulnerability test for Bash

Shellshock vulnerability test for Bash

A long-standing vulnerability unearthed in the GNU Bash software, nicknamed Shellshock, has disrupted the daily activities of the Linux system administrator community, as Linux distributors, cloud vendors and end users grapple to understand the full scope of the potential damage it could cause.

"It's a very subtle and complicated vulnerability," said Owen Garrett, head of products for Nginx, a provider of server software.

The vulnerability "is trivially easy to exploit if you know what you are doing, so it really is a potentially serious problem," Garret said. "The upside is that the remedy is quick and easy."

The vulnerability is a flaw in the open-source GNU Bash shell found in nearly all Linux distributions, as well as in the Apple OS X operating system.

Thursday, researchers found a second, related vulnerability in the shell.

A shell is an interface for users to interact with computers, by way of either a graphical environment interface or -- in Bash's case -- a text-based command line interface. The vulnerability allows a malicious user to issue commands to the operating system.

In one sense, the vulnerability is not a serious one, noted Wolfgang Kandek, chief technology officer of IT security firm Qualys. A user with access to Bash already can access all the commands that the operating system offers to routine users. But it can be dangerous insofar as Bash is also used by other programs to complete their own tasks, and thus may offer a backdoor into some systems.

For instance, it could be used with the CGI (Common Gateway Interface), Kandek noted. CGI is a legacy, but still widely used, technology used in the early days of the commercial Internet to provide user interactivity to websites. CGI uses Bash to manipulate the server's OS.

A malicious user could inject commands into a CGI request that would get processed by the server, Kandek said. An attacker, for instance, could use Shellshock to take advantage of some other vulnerability that could not otherwise be executed from over the network, perhaps a vulnerability that would allow the attacker to then gain control of the machine.

Administrators are encouraged to patch their systems as quickly as possible. This is the easy part. In most Linux distributions, updating the system software can usually be done through a single command, Kandek said.

Fortunately, all the major Linux vendors quickly issued patches, including Debian, Ubuntu, Suse and Red Hat.

Red Hat also posted a one-line command that could easily test if a machine is vulnerable to the attack.

And not a second too soon, given that software programs that exploit the vulnerability quickly surfaced after the news of the vulnerability broke.

Running a honeypot server, IT management firm AlienVault has also found that multiple parties are already scanning the Internet to find machines with the vulnerability.

A honeypot is a machine placed on the Internet with the intent to characterize how much and what kind of malicious activity is taking place online, usually by using unpatched software that attackers can use to gain access.

Cloud infrastructure services providers that offer stock Linux distributions as virtual images, which are used based on the latest stock release of a distribution, could have unpatched versions of Bash. Some may have already mitigated the issue: Amazon Web Services, which maintains its own version of Linux, automatically updates any Linux virtual machines with the latest patches before they are deployed.

As a general best practice, however, anyone deploying a virtual machine for the first time should immediately update the software, Kandek said.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags gnuNGINXsecuritypatch managementExploits / vulnerabilitiesqualys

More about Amazon Web ServicesAppleCGIDebianGatewayIDGLinuxNewsQualysRed HatSuseUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joab Jackson

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place