A few days ago, a new bug – that continued to exist for last 21 years in all the machines running on one or other form of UNIX based operating systems – has been discovered for the very first time. Since it exists in the bash shell, it affects more or less all the systems using the bash shell including all types of servers, mobile devices, desktop computers and more. The ShellShocker bug has been given a score of 10 out of 10 (highest possible vulnerability rating) in the CVSS (Common Vulnerability Scoring System) rating system. The heartbleed bug which was earlier discovered in OpenSSL was given a CVSS score of 5 out of 10.
What is ShellShocker bug?
The ShellShocker bug is a vulnerability in the bash shell. When you store a string inside an environment variable, the bash shell immediately executes it. Even if you store a few lines of executable code inside an environment variable, bash shell executes the code. This can be used to do almost anything by a targeted hacker – run DDoS off your computer, steal your information, download programs and much more.
How to check if your Linux machine is affected?
In general, if you have not updated your Linux with latest version of bash shell, then it is affected. But there is an easy way to check if your bash shell is affected by this bug. You can store a code to display some strings (using the echo command) inside an environment variable, and if the code is executed then your system is affected.
You can launch the Terminal in Linux by using the hotkey Ctrl+Alt+T and then copy paste the following command, followed by pressing the Enter key (if you try to manually type the code, you may miss some of the spaces):
If you see the word “vulnerable” appear, then your version of the bash shell is affected by the ShellShocker bug. The phrase “this should be shown” should appear and if it does not appear, then you are typing the command in a wrong way.
What to do if your system is affected?
If your system is affected, then you should try to get the latest version of bash shell for your machine. In Ubuntu you can do this by issuing the command sudo apt-get update; sudo apt-get upgrade; in the terminal. If your Linux provider does not offer an update for the bash, then you can download the source code and try building it yourself.
Conclusion: ShellShocker bug is a very high risk threat for all the UNIX based machines including both Linux and Mac. You should immediately update the bash shell on your system before the bug starts to be used widely for all sorts of cyber criminal activities.
For more information about the ShellShocker bug, you can visit http://shellshocker.net.