Bash ‘Shellshock’ Vulnerability (CVE-2014-6271 & CVE-2014-7169)

A very serious flaw in a critical piece of software that runs on almost all Linux operating systems has been found.

BBC news story:

Dubbed ‘Shellshock’ the flaw allows attackers to potentially take control of a vulnerable system and gain access to all data stored on that system.

We are pleased to report that all critical systems have already been updated with the latest versions of the bash software along with various other routine updates.


It is possible to test for this flaw from a shell script on a Linux system using the following command:

env var='() { ignore this;}; echo vulnerable' bash -c /bin/true

An affected version of bash will output “vulnerable”.

Source for this command along with further information:


If you’re a Mac owner and worried about this, in all likelihood the vast majority are probably safe. You’d need to be running a web server with CGI enabled or some other externally accessible service on your Mac (and not all of them by any stretch would enable this vulnerability). More on this here:

Update 29 September 2014

We are starting to see attempts to exploit this bug in our server logs now. Below are just a few examples from the web access log this morning. The code shown here has been directed against 15 different web sites in the last 24 hours:

[28/Sep/2014:05:10:01 +0100] “GET / HTTP/1.1” 200 64428 “-” “() { foo;};echo;/bin/cat /etc/passwd”
[28/Sep/2014:08:21:15 +0100] “GET / HTTP/1.1” 200 11880 “-” “() { foo;};echo;/bin/cat /etc/passwd”
[28/Sep/2014:10:28:42 +0100] “GET / HTTP/1.1” 200 5168 “-” “() { foo;};echo;/bin/cat /etc/passwd”

This entry was posted in News, Security News and tagged , , , , . Bookmark the permalink.

Comments are closed.