To help us provide you with free impartial advice, we may earn a commission if you buy through links on our site. Learn more

What is Shellshock? We explain why your data is at risk

Bash Shellshock bug

A bug found in Bash is threatening to wreak havoc on millions of computers, web servers and connected devices

Bash Shellshock, a critical security vulnerability that has existed undetected for over 20 years, could be be more serious than Heartbleed. The latest bug, which is found in the command-line shell Bash, hits right at the core of the internet. It affects Unix, Linux, Apple’s Mac OSX, internet of things devices and Apache web servers. That’s a whole lot of computers and servers as well as fifty per cent of all websites. 

Just hours after the bug was reported the first exploit has now apparently been spotted in the wild. The bug has been described as both extremely serious and very easy to exploit, with hackers potentially able to take complete control of affected computers. We explain what the Bash Shellshock bug is, what it means for you and what it means for you and the whole technology industry.

What is Bash and what is the Shellshock bug?

Bash is a command interpreter or shell (hence Shellshock) used on Linux and Mac OSX (both of which are Unix) along with a variety of internet of things devices and hardware such as home routers. Bash is also used on Apache servers, which host around 50 per cent of all websites.

Put simply Bash is a text window that lets users type commands to make things happen (in OSX you’ll know it as the Terminal). Bash can also read commands given to it from a file. It is called upon by all sorts of programs and processes to carry out various functions in the command-line. Computers have been using Bash since the late 1980s and it has become almost ubiquitous. All versions of Bash through to 4.3 are affected by this vulnerability.

Bash is the default command-line shell for Linux and Mac OSX, two of the most widely-used operating systems in the world. The Bash bug could also affect internet of things devices as many run Linux distros. The bug could also be present on Google’s Android operating system, which is best described as a non-traditional Linux distribution.

How does the Bash Shellshock bug work?

The vulnerability in Bash lets a user create so-called variables before calling on the Bash shell. These variables can contain code that is triggered the second Bash kicks in. In even simpler terms code shouldn’t be allowed to run at the end of a Bash function but the bug makes this possible.

So how can a hacker use the exploit? On an Apache web server running Bash (half the internet runs on Apache) it can be used to target CGI scripts. These tiny bits of code carry out boring but essential tasks, but also inadvertently give attackers access to Bash. By using a piece of code to target the CGI scripts a hacker can get into a server through Bash. Once a hacker has direct access to a server they have complete control of it.

Worryingly the attack is very easy to carry out on unpatched systems. All a hacker needs to do is copy and paste in some code and the command will execute. As Bash lies at the heart of so many computers and systems it gives hackers control of just about anything.

At first there was no evidence that the bug had been exploited, but it was only a matter of time before this happened. According to a post on GitHub, a system administrator has found an exploit that used the Shellshock vulnerability to launch an exploit. The attack appeared to attempt a brute force attack on the server in an attempt to guess usernames and passwords. It is still early days and further exploits are inevitable.

What does the Bash Shellshock bug let hackers do?

Pretty much anything. An attacker can remotely execute code on affected systems, access internal data, change code or install malicious code on systems and web servers. Half of all websites are vulnerable. That’s obviously a big problem.

The most likely attack would be a self-replicating one where malicious code spreads from system to system. Public-facing machines (the one you’re looking at right now) probably won’t be the target. The real money is made by going after big companies and that’s why the bus is so dangerous. The vulnerability could get hackers behind corporate firewalls and system administrators will be working frantically to install patches.

Is my computer vulnerable?

If you run Windows you don’t need to worry. If you run Linux or Mac OSX you’re at risk. There is an easy way to check if your computer might be at risk. Open a terminal window and enter the following command at the $ prompt:

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

The output on a vulnerable system will be:

vulnerable
this is a test

A patched or unaffected system will output:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

What do I need to do to make OSX and Linux safe?

Apple has rolled-out a background update to patch the Shellshock Bash bug, but tests confirmed that the vulnerability was present in OSX. The company has also confirmed that the vast majority of users were not at risk from the vulnerability as OSX blocks remote exploits of bash by default. Only users who have configured advanced UNIX services will be exposed, with Apple “working quickly” to create a patch.

You can check if your system is still vulnerable by opening Terminal and using the code above. If you run CentOS, Debian, Redhat or Ubuntu then patches are already available. The United States Computer Emergency Readiness Team (US-CERT) has published an advice page on the Bash bug with links to download operating system updates.

Why is the Bash Shellshock bug such a big deal?

Bash is at the core of millions of devices from computers to web servers and home routers to security cameras. Experts have said that this bug has the potential to be worse than Heartbleed and that could end up being true. While Heartbleed allowed hackers to spy on computers, Shellshock lets attackers take control of computers, execute code and do just about anything they want. If Bash isn’t patched quickly it could have disastrous consequences.

Exploits are already being detected in the wild and hackers are likely having a field day targetting vulnerable servers. In the UK the Information Commissioner’s Office has expressed big concerns about personal data being stolen by hackers:

“This flaw could be allowing criminals to access personal data held on computers or other devices. For businesses, that should be ringing real alarm bells, because they have legal obligations to keep personal information secure. The worst thing would be to think this issue sounds too complicated – businesses need to be aware of this flaw and need to be monitoring what they can do to address it. Ignoring the problem could leave them open to a serious data breach and ultimately, enforcement action,” an ICO spokesperson exaplained.

“And for people who are concerned their personal information could be at risk on their own devices, the message is clear. Don’t think this all sounds too complicated. Security updates are currently being rolled out – don’t ignore them, but make sure you apply them as soon as practically possible.”

Does it affect Windows?

No. But also yes. Windows doesn’t rely on Bash in the same way that Linux and Max OSX do, but that doesn’t mean a Windows system is Bash free. You won’t find Bash on your Windows computer at home but it could be on server systems with Microsoft components. In short this isn’t a bug that affects Windows but Bash can run on Windows systems. If you’re not a system administrator at a major company you don’t need to worry about its potential impact on Windows.

I don’t run a server, why should I care?

Even if you don’t use a Mac or Linux computer at home the Bash bug is still a big deal. Your most personal information is stored on servers all over the world and you use the internet all the time. The Bash bug could allow hackers to upload worms or other malicious software to vulnerable web servers, which could then be downloaded to your Windows computer. You also access the internet using a router. As with many connected devices, home routers are likely vulnerable to to the Bash bug.

It will be up to system administrators to patch vulnerable systems and keep an eye out for attackers trying to exploit the vulnerability. It will take some time to understand exactly how serious the Bash bug is but its potential to wreak havoc cannot be understated. Like Heartbleed the Bash bug won’t go away overnight.

You haven’t told me what I needed to know. Where can I read more?

Some further reading with loads more information about the Shellshock Bash bug:

Bash specially-crafted environment variables code injection attack (Redhat)

Bourne Again Shell (Bash) Remote Code Execution Vulnerability (US-CERT)

Bash bug as big as Heartbleed (Robert Graham / Errata Security)

Everything you need to know about the Shellshock Bash bug (Troy Hunt)

Bug in Bash shell creates big security hole on anything with *nix in it (Ars Technica)

Bash ‘Shellshock’ Bug – Now You Can Panic (OxCERT / Paul Hood)

Read more

News