Shellshock (CVE-2014-6271)

Shellshock is the bash function-export parser RCE that affected Linux/Unix systems where bash was reachable from any HTTP / CGI / DHCP path.

Definition

Shellshock (CVE-2014-6271) is a vulnerability in GNU Bash's parsing of environment variables. A function definition stored in an environment variable was parsed at shell startup; if the variable contained a function definition plus extra commands after it, those commands ran. Anywhere an attacker could control an environment variable that bash subsequently parsed — typically through CGI scripts where `User-Agent` becomes `HTTP_USER_AGENT` — they had remote code execution.

Impact

Pre-auth RCE on any system exposing bash via CGI or other env-passing surfaces.

Mitigation

Patch bash. Several follow-up CVEs (CVE-2014-7169, CVE-2014-6277, CVE-2014-6278) covered variants of the original bug.

See also

References