ShellShock

There is a new critical bug affecting all computers running Unix-based operating systems like Mac OS X and Linux and it is called “Shellshock”. Some analysts warn it could be worse than Heartbleed, a vulnerability within web encryption library OpenSSL which caused a stir this year as it theoretically allowed attackers to take over websites. Shellshock bug is a vulnerability affecting all versions of the bash package as shipped with most of the Linux distributions. It is listed as CVE-2014-6271, CVE-2014-7169. Bash, an acronym for Bourne Again Shell, is a command-line shell. This lets users issue commands to launch programs and features within software by typing in text. It’s typically used by programmers and shouldn’t be open to the wider world, though Shellshock changes that.

The Shellshock bug affects all products which use the Bash shell and parse values of environment variables. Shellshock Vulnerability is especially dangerous as there are many possible ways Bash can be called by an application. Quite often, if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such. So any Linux/Unix servers are vulnerable to Shellshock bug.

Which versions of Bash are affected?

It is said that everything through 4.3 or in other words, about 25 years’ worth of Bash versions. Everyone keeps comparing this to Heartbleed, considering that the impacted versions of OpenSSL spanned a mere two years which is a drop in the ocean compared to Shellshock. People don’t upgrade their versions consistently therefore the number of at-risk machines are going to be much higher for Shellshock than it was with heartbleed.

Shellshock Bug Fix by Quintet

Don’t worry, Quintet Solutions is here to help. We shall patch your servers as needed and assist you in securing your servers and have peace of mind.