Shellshock is the common name for a coding vulnerability found in the Bash shell user interface that affects Unix-based operating systems, including Linux and Mac OS X, and allows attackers to remotely gain complete control of a system.

Discovered by Stéphane Chazelas in September 2014, the vulnerability, also known as CVE-2014-6271 and CVE-2014-7169, had existed for more than 20 years. Shellshock is present in every version of shell up to 4.3.

The Shellshock flaw may be exploited without any authentication by adding arbitrary malicious code at the end of a specifically crafted Bash function. This technique could enable an attacker to gain command-line access to a system, which often results unrestricted access to run programs, filter through memory for sensitive data, or facilitate a self-propagating worm.

Most affected server and operating system providers have released software updates that correct the Shellshock vulnerability. A variety of tools exist to check whether a system is affected by Shellshock or whether a patch has successfully resolved the problem. Organizations should use log monitoring techniques to detect evidence of attempted Shellshock exploitation; such a payload is delivered through a URL or HTTP header, hence it would leave evidence.

US-CERT's National Vulnerability Database rated the flaw's severity as a 10.0. It has been compared to the Heartbleed vulnerability largely because of its severity rating.

This was last updated in December 2014

Continue Reading About Shellshock

Dig Deeper on Threats and vulnerabilities