The United States Department of Homeland Security Computer Emergency Readiness Team (US-CERT) issued a security alert this week to users of Unix-based operating systems that “Shellshock,” a new security vulnerability, has been discovered. The alert indicated that the vulnerability was associated with Bash, which is used by programmers to issue commands that launch programs. According to US-CERT, “[M]any UNIX-like operating systems, including Linux distributions … and Apple MAC OS X include Bash and are likely to be affected.” In terms that make sense for non-computer scientists, this means that Shellshock allows an attacker to remotely execute commands by attaching malicious codes in vulnerable systems and take over the entire operating system. This means that the attacker can not only get access to data, including high-risk and sensitive data, but can actually take control of the system.
Unfortunately, the alert stated, “[I]t is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.” Although several patches are available, US-CERT further acknowledged that the first round of patches may not have resolved the issue and advised operators to install updated patches as they become available.
US-CERT gives Shellshock a ranking of 10—the highest score possible for the severity of the impact of the vulnerability, and a “low” ranking for complexity, which means that it is easy to do. Both of those ratings are as bad as they get. Pay attention to these alerts from US-CERT and act on them as soon as possible to protect your system.