Last updated: April 13, 2016
Red Hat team discovers Shellshock bash vulnerability in Unix/Linux/OS X
A new vulnerability that impacts Unix-based systems has been discovered and announced by a Red Hat security team. Called “Shellshock” (CVE-2014-6271), the Shellshock bash vulnerability allows an attacker to inject malicious code into your machine using a bash script. The National Cyber Awareness System has given the flaw a 10 out of 10 severity rating. Because the vulnerability is said to impact only Unix-based systems, only Unix, Linux and Mac OS X systems are threatened by the flaw.
In the information released by Red Hat, it states:
In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the Bash shell. It is common for a lot of programs to run Bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)
Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the Bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.
Red Hat is strongly urging customers to apply available security patches immediately since the vulnerability is known to be actively attacked in the wild.