A Critical remotely exploitable vulnerability has been discovered in the widely used Linux and Unix command-line shell, known as Bash, aka the GNU Bourne Again Shell, leaving countless websites, servers, PCs, OS X Macs, various home routers, and many more open to the cyber criminals.
Earlier today, Stephane Chazelas
publicly disclosed the technical details of the remote code execution vulnerability
in Bash which affects most of the Linux distributions and servers worldwide.
REMOTELY EXPLOITABLE SHELLSHOCK
The vulnerability (CVE-2014-6271) affects versions 1.14 through 4.3 of GNU Bash and being named as Bash Bug, and Shellshock by the Security researchers on the Internet discussions.
According to the technical details, a hacker could exploit this bash bug to execute shell commands remotely on a target machine using specifically crafted variables. “In many common configurations, this vulnerability is exploitable over the network,” Stephane said.
This 22-year-old vulnerability stems from the way bash handles specially-formatted environment variables, namely exported shell functions. When assigning a function to a variable, trailing code in the function definition will be executed.
BASH BUG AFFECTS MILLIONS OF SYSTEMS
While bash is not directly used by remote users, but it is a common shell for evaluating and executing commands from other programs, such as web server or the mail server. So if an application calls the Bash shell command via web HTTP or a Common-Gateway Interface (CGI) in a way that allows a user to insert data, the web server could be hacked.