Shellshock Is Not One Bug, But A Family of Bugs

Over the past week or so, I’ve seen a lot of articles and blog posts about Shellshock, and many of them refer to Shellshock as a single bug, even though it is really a family of related bugs. Further confusion potentially resulted from reports that patches for the first bug were incomplete.

That the articles talk about Shellshock as if the name refers to only one bug doesn’t mean the articles are wrong. Many of them were written around September 25, which, based on the revision dates in a US-CERT article, was likely when US-CERT likely posted about the first bug in the family, and the authors were simply being diligent about releasing important information to the public.

US-CERT uses the CVE system to identify bugs. The initial bug many articles reported was CVE-2014-6271. Currently, US-CERT also lists CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE 2014-6278 as part of Shellshock.

As you browse the Web to check whether your particular router, web server, Linux system, Mac system, etc. has updated software or firmware, just keep in mind that to be protected against all currently known bugs in this family, you need to patch against all of the above CVEs (as of the time this post is being written). Take a look at this Redhat article, for example. Notice that their test gives a different output depending on whether the Bash version in question has no fixes at all, a fix for only CVE-2014-6271, and so on.

In short, the term “Shellshock” doesn’t just refer to one CVE, but all of the ones currently listed by US-CERT, and possibly more as new related bugs are discovered.

Leave a Reply

Your email address will not be published. Required fields are marked *