ShellShock Security Vulnerability: Bigger than Heartbleed

What is the security vulnerability?

Akamai security researcher Stephane Chazelas has discovered a devastating security vulnerability which effects many web servers, internet routing devices, MacOS X computers. The vulnerability allows an attacker to remotely execute code using Bash. Bash is an application, which allows users to type commands which cause actions on a server.

How does the security vulnerability affect our organisation?

Bash is a program that is a vital component of the Unix/Linux based operating system (similar the Command Prompt on Windows). The vulnerability allows an attacker to execute deep level commands without the required administrator access.

In simple terms, Unix/Linux is an operating system similar to Microsoft Windows. It is the software on a computer that enables the user to interact with the computer and the computer hardware to perform desired functions. Typically, Unix/Linux operating systems are used because they're open source and have no licence fees. Many web servers for examples use these operating systems, thus your web site may be vulnerable this this attack.

It is also highly likely your organisation could be using a Unix/Linux based operating system without you being aware of it! 

Devices that include the Bash program include:

  • MacOS X computers
  • Linux computers
  • Many Web Servers that run Unix/Linux (Most likely your current web host)
  • Internet routers / gateways

According to ZNET, this vulnerability is already being exploited in the wild.

CommunityCRM have patched their production servers to protect our hosted CRMs from being vulnerable to this type of attack. This means if you host your CRM with us, your web site is not at risk of being compromised by this attack.

How can I check if I'm vulnerable?

You will need to execute the test command below which may involve some technical knowledge. If that sounds scary or too technical, just ask your technical person to run the following command on any potentially affected device:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the device outputs the word "VULNERABLE", then it is vulnerable to the attack. You will need to ensure your device is properly patched to protect against this attack.

Patch Information

For CentOS:

For Ubuntu:

For Debian:

For MacOS X:

  • Check using Apple's Software Update service.

For Redhat:

More Information

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271