Which home routers are affected by Shellshock

Bash bug: New vulnerability is more far-reaching than Heartbleed

Michael Mercenary

A vulnerability in the Unix shell bash could put networks at risk for years. How to check if they are affected.

EnlargeShellshock endangers systems with the Unix shell Bash

Akamai's security researcher Stephane Chazelas has discovered a far-reaching vulnerability in the Unix shell Bash. The hole called Shellshock affects Linux systems, computers with OS X, routers and networked household appliances.

Attackers can use Shellshock to execute code on the computers. Particularly spicy: the gap has apparently been in the Unix shell bash for years. In addition, a large number of devices are affected, especially routers could serve as a gateway for hackers.

Patches that prevent Shellshock have already been published for large Linux distributions such as Red Hat, Fedora, CentOS, Ubuntu or Debian. Nevertheless, security researchers assume that the vulnerability will remain open on millions of devices for many years to come. In contrast to Heartbleed, a hole that only affected a certain version of OpenSSL, the bug in the Unix shell Bash can be exploited on almost all devices that can be addressed via this interface.

Jen Ellis, an employee of the security company Rapid7, does not anticipate such far-reaching effects as with Heartbleed: In his opinion, a large number of the systems that can be addressed via Bash will not be attacked remotely. In order to exploit the bug, an attacker would have to be able to send an environment variable to a program with network access, which in turn would have to be implemented in Bash. The attack would also have to be redesigned for each program. Heartbleed would be much easier to use in comparison.

A simple command can be used to find out whether the bash being used is susceptible to shellshock: env x = '() {:;}; echo vulnerable 'bash -c "echo this is a test"

If the console spits out a "vulnverable", a new version of Bash should urgently be installed. If, on the other hand, the result appears “ignoring function”, then your own system is safe.

Console Capers: Three Tricks for the Linux Shell

Sometimes there are no updates available for your own distribution. Apple should protect OS X from Shellshock shortly. Nevertheless, the gap will remain for a long time on older devices that cannot be secured with a patch. Hackers could use this hardware to gain access to the otherwise protected home network.

Shellshock once again calls on users to import existing security updates as quickly as possible, not to start programs from e-mails and generally to invest more time in the security of the home network.