Shellshock (Bash vulnerability)
Family of 2014 vulnerabilities in GNU Bash allowing remote code execution by smuggling commands through specially crafted environment variables. The original bug had been latent in Bash for roughly 25 years before discovery.
Shellshock is a family of remote-code-execution vulnerabilities in GNU Bash, disclosed publicly on September 24, 2014 by maintainer Chet Ramey after private discovery by Stéphane Chazelas. The root flaw — tracked as CVE-2014-6271 — was that Bash parsed function definitions stored inside environment variables on shell startup, and the parser kept executing whatever followed the function body. An attacker who could set an environment variable that a Bash subshell would see could thereby run arbitrary commands. The exposure was severe because environment variables flow into Bash from many untrusted sources: CGI web requests passing headers as environment variables, DHCP clients, OpenSSH ForceCommand contexts, and other privileged code paths. Internet-facing CGI scripts were the dominant attack surface, and within hours of disclosure attackers were mass-scanning for vulnerable servers. CloudFlare reported roughly 1.5 million Shellshock-related attacks per day by the end of September 2014. Follow-on research uncovered closely related parser bugs in short order, tracked as CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187. The original flaw had been introduced in a commit dated August 5, 1989 and shipped in Bash 1.03 the following month, so vulnerable code had been present for about 25 years in one of the most widely deployed pieces of open source software on the planet. Together with Heartbleed, disclosed five months earlier, Shellshock became one of the two canonical counter-examples to Linus's Law: massive deployment and open source code did not, by themselves, ensure timely discovery of severe defects in critical software infrastructure.