The Shellshock Bug

The Shellshock Bug is a bash level vulnerability that allows an assailant to send operating-system-level commands to the server, inviting him to take control over the server.

This vulnerability often occurs in the Unix bash shell, found on every Unix/Linux based web server, server and network device. This makes it highly versatile in its exploitability and its applications, thus contributing to its popularity.

The bug utilises the Bash to execute commands from environment variables unintentionally. Essentially using remote code execution, essentially translating to the fact that anyone can remotely issue commands to the server. The reason for its potent behaviour is due to the fact that the bash is not an internet service, yet many applications, internet and network services utilise environment variables to communicate locally with the operating system.

Due to the absence of a sanitation mechanism for environment variables in the bash script, there exists no method of verifying the source of HTTP requests. Thus there exists a vulnerability dubbed the “shellshock” vulnerability first spotted by Stephane Chazelas in 2014.

The concern lies within the simplicity of its implementation. All an assailant needs are basic programming skills, a server and access to malware. In addition, the cost to carry out such an attack is practically a couple of hundred rupees a month. Thus this hacking strategy proves to be ideal with minimal knowledge, price and little effort.

While web servers are the main target for such bugs, they are not the only networks that are attacked. Everything from Email to DNS servers uses the GNU bash to communicate with the OS and hence fall under the purview of this bug. While this bug is prominent in Unix-based systems, windows systems are not exempted as they may be leveraging applications that utilise Bash scripts.

For example, routers and some IoT devices use Bash scripts in their routine functioning and are connected to your computers via LAN’s putting the entire network at risk.

The shellshock bug can also be used in DDoS(distributed denial-of-service) attack to either delay server response, clutter the network with junk commands to deny users regular functionality or handcuff the server to ensure it is unable to handle any requests.

Owing to extensive coverage among the cybersecurity community and alerts from various organisations such as the department of homeland security, patches have been developed to eliminate or minimise the risk posed by bugs such as shellshock. However, some systems still remain unpatched and hence stand at risk of being affected. If your systems are still vulnerable today, this is probably due to some underlying operational issues. However, patches are available for almost any scenario. The best way to protect a server against this type of vulnerability is to keep it up to date, applying all the security patches released for this exploit.

While the shellshock bug helped Romanian hackers get into Yahoo’s servers in 2014, it has been six years and raising awareness among the cybersecurity community has led to multiple patches being released for newer server architectures. This means that often ensuring security patch updates are installed ensures the safety of your servers. However, older server architectures may require custom bug fixes or continuous log-checking to ensure no anomaly occurs with the commands executed.