Linux – What is the Shellshock bug? Is it worse than Heartbleed?
Security experts are warning that a serious flaw named Shellshock could be about to affect many of the world’s web users.
Some analysts warn it could be worse than Heartbleed, a vulnerability within web encryption library OpenSSL which caused a stir this year as it theoretically allowed attackers to take over websites.
The US government-backed National Vulnerability Database rated Shellshock 10/10 for severity. Here’s a simple guide to what the Bash bug is, why it matters and what people can do to help prevent future attacks.
What is Bash?
Bash, an acronym for Bourne Again Shell, is a command-line shell. This lets users issue commands to launch programs and features within software by typing in text. It’s typically used by programmers and shouldn’t be open to the wider world, though Shellshock changes that.
Mac OS X users can run it by opening up their Terminal, as can anyone using the Linux operating system by launching the same machine. Linux and Mac OS X are largely derivatives of the Unix OS, so share some features.
What is the vulnerability and how might attackers exploit it?
The 25-year-old vulnerability is related to the processing of what are known as “environment variables” in Bash, which provide a way to influence the behaviour of software.
The Bash bug, discovered by the Linux expert Stéphane Chazelas, is causing concern as the command-line interface is used by many popular tools to run those environment variables.
In theory, an attacker could exploit a machine running Bash by forcing it to set specially crafted environment variables. This could then be further exploited to let them execute shell commands, ie run programs on other people’s computers. That’s endgame for the victims – their machines would in effect be in the control of the hacker.
In slightly more detail, when dealing with environment variables, Bash shouldn’t continue to process commands that come after the “function definition” – the declaration of a software routine that performs a certain task. But it does and therefore allows for an outsider to send exploit code via software that uses Bash and have it run commands. They should never be able to do that.