Shellshock is a collective name for a series of Linux security issues in the bash shell. Bash is the default terminal in many Linux distributions which meant that the effects of the bugs were particularly widespread.
Note: The vulnerability did not affect Windows systems as Windows does not use the Bash shell.
In September 2014, Stéphane Chazelas, a security researcher, discovered the first issue in Bash and privately reported it to the person maintaining Bash. He worked with the developer responsible for maintaining Bash and a patch was developed that resolved the issue. Once the patch was released and available for download, the nature of the bug was released to the public near the end of September.
Within hours of the announcement of the bug, it was being exploited in the wild and within a day there were already botnets based on the exploit being used to perform DDOS attacks and vulnerability scans. Even though a patch was already available, people weren’t able to deploy it fast enough to avoid the rush of exploitation.
Over the next few days, five more related vulnerabilities were identified. Again patches were rapidly developed and released but despite active exploitation, the updates were still not necessarily applied immediately or even available immediately in all cases, leading to more compromised machines.
The vulnerabilities came from a variety of vectors, including CGI-based webserver system calls being incorrectly handled. OpenSSH server allowed an elevation of privilege from a restricted shell to an unrestricted shell. Malicious DHCP servers were able to execute code on vulnerable DHCP clients. When processing messages, Qmail allowed exploitation. The IBM HMC restricted shell could be exploited to gain access to a full bash shell.
Due to the widespread nature of the bug as well as the severity of the vulnerabilities and the rush of exploitation, Shellshock is often compared to “Heartbleed”. Heartbleed was a vulnerability in OpenSSL that leaked the contents of memory without any user interaction.