Bash flaw threatens hundreds of millions of servers

News by Tim Ring

Systems admins are being warned of a decades-old bug that means hundreds of millions of systems - ranging from Unix/Linux web servers to possibly Apple devices and WiFi routers - can be easily hijacked.

The ‘Bash' or ‘Shellshock' flaw (CVE-2014-6271) is being described as potentially bigger than Heartbleed and much easier to exploit.

Manufacturers are rushing out patches and issuing advice to users – outlined below.

The flaw is in the free, open-source Bash (Bourne Again Shell) command shell which has been used in most Unix, Linux and related systems for at least 20 years since the 1980s.

The bug enables hackers to exploit the ‘environmental variables' within the shell to hijack another computer or server and run their own code remotely, if the default option of remote login is allowed.

The vulnerability is reported to be present in Bash version 1.13 up to and including version 4.3, and was discovered by Stephane Chazelas.

It affects hundreds of millions of web servers. According to latest Netcraft figures, around 35 percent of the worlds' billion-plus websites are run on Apache/Unix servers - putting more than 300 million sites at risk from the flaw.

But as well as Linux and related web servers, the flaw affects numerous other systems, according to UK cyber expert Alan Woodward, a visiting professor at Surrey University's Computing Department.

Woodward said Apple “use quite an old version of Bash” and advises Mac users to disable remote login until Apple release a Bash fix, “a simple suggestion to try to ward off any attempts to remotely login using the Bash flaw onto individuals Macs”.

He told that Bash is in “many embedded systems such as WiFi routers. Hence it means the problem is even more widespread than just web servers. The real issue here is that these types of devices are difficult to update.”

The US-CERT cyber emergency response team agrees the flaw affects Unix-based operating systems such as Linux and Apple Mac OS X devices.

Woodward said the flaw is potentially bigger than SSL/Heartbleed and much easier to exploit.

He told SC: “Even if it's only a fraction of Apache websites, and remote logins are managed properly, it is looking like it is more widespread than Heartbleed. Worryingly it is rather more serious than Heartbleed in that it doesn't take as much skill to exploit it.”

Darien Kindlund, director of threat research at security firm FireEye, agreed about the scale of the threat.

He told journalists by email: “This bug is horrible. It's worse than Heartbleed, in that it affects servers that help manage huge volumes of internet traffic.

“Conservatively, the impact is anywhere from 20 to 50 percent of global servers supporting web pages. Specifically, this issue affects web servers using GNU Bash to process traffic from the internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the internet.”

In a 24 September blog post RedHat says: “Bash is perhaps one of the most installed utilities on any Linux system.”

Woodward said the lessons from this flaw are the same as with SSL/Heartbleed.

He commented: “This throws into stark relief several issues that the Heartbleed bug raised about the use of open source software - limited numbers of people maintaining software and the fact that it's not always that well-reviewed.

“These individual bits of software that get used again and again and again; you only have to have a simple flaw in it to cause major problems. We're finding that yet again here.”

The vulnerability has been given a maximum score of 10 in all three categories of threat recorded by the US National Vulnerability Database.

Tenable's EMEA technical director Gavin Millard added in an email: "The potential for attackers utilising ShellShock is huge with millions of UNIX and Linux servers vulnerable. The major concern of ShellShock is the staggering amount of systems that have bash installed – almost every UNIX platform and many of the “Internet of Things” devices we now have in our homes and businesses. 

"Unfortunately, due to the ease of exploit, ShellShock is a prime candidate for a worm. We could be looking at another SQL Slammer like worm but instead of 100,000 servers being affected, it could be more like 100,000,000, which would be catastrophic.

CERT-UK's 25 September warning about Bash - its first in four months, highlighting the seriousness of the threat – provides links to where patches can be obtained.

CERT-UK confirms there are patches available for many major Linux platforms, such as:

Admins can verify if a system is vulnerable by entering the following command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:


this is a test

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x'

this is a test

The US-CERT points “experienced users and administrators” to a patch here.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews