Critical flaw in Linux Bash leaves systems Shellshocked

Douglas Crawford

Douglas Crawford

September 26, 2014

Security researcher Stephane Schazelas has discovered a major vulnerability in the Linux (and OSX) Operating Systems used by computers and servers across the world, a discovery which has caused widespread alarm, and is being compared to the ‘catastrophic’ Heartbleed Bug from earlier this year.

The bug, now dubbed ‘Shellshock’ concerns the Unix command line shell Bash, and affects pretty near any OS with ‘*nix’ in its name, including, Unix, OSX (the Mac operating system based on Unix), and many Linux distributions, including,

  • Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
  • CentOS (versions 5 through 7)
  • Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
  • Debian

Alarm has grown as reports come in that the bug is being exploited in the wild. Waylon Grange, senior malware researcher at Blue Coat noted that,
We’re seeing attackers target the Shellshock vulnerability almost immediately (within 4.5 hours) of it being publicly announced. Any organizations or users with unpatched Linux servers are vulnerable to hackers running unauthorized code, so it’s very important that organizations download and apply the patch immediately. Blue Coat is already seeing DDOS botnets trying to utilize this vulnerability in their attacks and we expect that traffic to only continue to increase.

It is thought that a staggering 500 million machines could be hit by the Shellshock bug. Details of the flaw in Bash are rather complex, but Ars Technica explains it thus,

While Bash is often thought of just as a local shell, it is also frequently used by Apache servers to execute CGI scripts for dynamic content (through mod_cgi and mod_cgid). A crafted web request targeting a vulnerable CGI application could launch code on the server. Similar attacks are possible via OpenSSH, which could allow even restricted secure shell sessions to bypass controls and execute code on the server. And a malicious DHCP server set up on a network or running as part of an “evil” wireless access point could execute code on some Linux systems using the Dynamic Host Configuration Protocol client (dhclient) when they connect… There are other services that run on Linux and Unix systems, such as the CUPS printing system, that are similarly dependent on Bash that could be vulnerable.

System administrators should immediately check whether their servers are vulnerable, and if so, patch them immediately. Again courtesy of Ars Tecnica,

‘There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If the system is vulnerable, the output will be:


this is a test

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x’

this is a test

An unofficial patch was hurried out, but this failed to prevent attacks. A new patch has however been release that we understand fixes the problem.

Given that a worryingly large number of servers yet remain vulnerable to the Heartbleed Bug, we have grave concerns about how well system administrators will deal with this new crisis. The best thing you, as a VPN user, can do is to contact your VPN provider, and ask if they are aware of the bug, if it affects them, and if so then have they done anything about it..?

Exclusive Offer
Get NordVPN for only