cover image

Shellshock (software bug)

Security bug in the Unix Bash shell discovered in 2014 / From Wikipedia, the free encyclopedia

Dear Wikiwand AI, let's keep it short by simply answering these key questions:

Can you list the top facts and stats about Shellshock (software bug)?

Summarize this article for a 10 years old


Shellshock, also known as Bashdoor,[1] is a family of security bugs[2] in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access[3] to many Internet-facing services, such as web servers, that use Bash to process requests.

Quick facts: CVE identifier(s), Date discovered, Date patc...
A simple Shellshock logo, similar to the Heartbleed bug logo.
CVE identifier(s)CVE-2014-6271 (initial),
Date discovered12 September 2014; 9 years ago (2014-09-12)
Date patched24 September 2014; 9 years ago (2014-09-24)
DiscovererStéphane Chazelas
Affected softwareBash (1.0.3–4.3)

On 12 September 2014, Stéphane Chazelas informed Bash's maintainer Chet Ramey[1] of his discovery of the original bug, which he called "Bashdoor". Working with security experts, Mr. Chazelas developed a patch[1] (fix) for the issue, which by then had been assigned the vulnerability identifier CVE-2014-6271.[4] The existence of the bug was announced to the public on 2014-09-24, when Bash updates with the fix were ready for distribution.[5]

The bug Chazelas discovered caused Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environment variables.[1][6] Within days of its publication, a variety of related vulnerabilities were discovered (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187). Ramey addressed these with a series of further patches.[7][8]

Attackers exploited Shellshock within hours of the initial disclosure by creating botnets of compromised computers to perform distributed denial-of-service attacks and vulnerability scanning.[9][10] Security companies recorded millions of attacks and probes related to the bug in the days following the disclosure.[11][12]

Because of the potential to compromise millions of unpatched systems, Shellshock was compared to the Heartbleed bug in its severity.[3][13]