Shellshock (software bug)
Security bug in the Unix Bash shell discovered in 2014 / From Wikipedia, the free encyclopedia
Dear Wikiwand AI, let's keep it short by simply answering these key questions:
Can you list the top facts and stats about Shellshock (software bug)?
Summarize this article for a 10 years old
Shellshock, also known as Bashdoor,[1] is a family of security bugs[2] in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access[3] to many Internet-facing services, such as web servers, that use Bash to process requests.
A simple Shellshock logo, similar to the Heartbleed bug logo. | |
| CVE identifier(s) | CVE-2014-6271 (initial), CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 |
|---|---|
| Date discovered | 12 September 2014; 9 years ago (2014-09-12) |
| Date patched | 24 September 2014; 9 years ago (2014-09-24) |
| Discoverer | Stéphane Chazelas |
| Affected software | Bash (1.0.3–4.3) |
On 12 September 2014, Stéphane Chazelas informed Bash's maintainer Chet Ramey[1] of his discovery of the original bug, which he called "Bashdoor". Working with security experts, Mr. Chazelas developed a patch[1] (fix) for the issue, which by then had been assigned the vulnerability identifier CVE-2014-6271.[4] The existence of the bug was announced to the public on 2014-09-24, when Bash updates with the fix were ready for distribution.[5]
The bug Chazelas discovered caused Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environment variables.[1][6] Within days of its publication, a variety of related vulnerabilities were discovered (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187). Ramey addressed these with a series of further patches.[7][8]
Attackers exploited Shellshock within hours of the initial disclosure by creating botnets of compromised computers to perform distributed denial-of-service attacks and vulnerability scanning.[9][10] Security companies recorded millions of attacks and probes related to the bug in the days following the disclosure.[11][12]
Because of the potential to compromise millions of unpatched systems, Shellshock was compared to the Heartbleed bug in its severity.[3][13]