Anatomy of a Breach

Anatomy of a Breach: Shellshock — The 25-Year-Old Bash Bug That Threatened Billions of Devices

> series: anatomy_of_a_breach —— part: 070 —— vulnerability: cve-2014-6271 —— age: 25_years —— affected: billions_of_devices<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2014 13 min read
shellshock bash cve-2014-6271 vulnerability linux remote-code-execution patching series
Breach #070

A 25-year-old bug in the shell. Billions of devices at risk.

On 24 September 2014, CVE-2014-6271 was publicly disclosed — a critical vulnerability in GNU Bash, the default command-line shell on virtually every Linux, Unix, and macOS system in the world. The bug, dubbed 'Shellshock', had been present in Bash since version 1.03, released in September 1989 — meaning it had existed undetected for 25 years. The vulnerability allowed an attacker to append arbitrary commands to environment variables, which Bash would execute when invoked — enabling remote code execution on any system where Bash was accessible through a network service.

The impact was staggering in scope. US-CERT issued an emergency alert rated at the maximum severity. Web servers running CGI scripts, SSH servers, DHCP clients, mail servers, and countless embedded devices — from routers and network appliances to IoT devices and industrial control systems — were potentially vulnerable. Unlike Heartbleed (which allowed memory disclosure), Shellshock allowed direct command execution — enabling attackers to install malware, create backdoors, steal data, or take complete control of vulnerable systems. Automated exploitation began within hours of disclosure.

The Vulnerability
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Environment variables as code execution vectors.

Shellshock — Exploitation Example (Simplified)
# Normal environment variable:
VAR="hello world"

# Shellshock exploit — appending command to function definition:
VAR='() { :; }; /bin/cat /etc/passwd'

# Bash executes /bin/cat /etc/passwd when processing the variable
# Any command can be substituted — malware download, backdoor, etc.

# Web server exploitation via CGI:
curl -A '() { :; }; /bin/bash -c "cat /etc/passwd"' http://target/cgi-bin/script
# The User-Agent header becomes an environment variable
# Bash processes it and executes the appended command
Why Shellshock Was So Dangerous

25 years old, everywhere, and trivially exploitable.

Ubiquitous Deployment
Bash is the default shell on virtually every Linux and Unix system — from web servers and cloud instances to routers, NAS devices, and embedded systems. The attack surface was measured in billions of devices. Our <a href="/vulnerability-scanning">vulnerability scanning</a> identifies Shellshock-vulnerable systems across your infrastructure.
Remote Code Execution
Shellshock allowed arbitrary command execution — the most severe category of vulnerability. An attacker could install rootkits, create persistent backdoors, exfiltrate data, or pivot to other systems on the network. Our <a href="/penetration-testing/infrastructure">infrastructure penetration testing</a> assesses the exploitability of command injection vulnerabilities.
IoT and Embedded Devices
Many embedded devices — routers, network appliances, printers, cameras — run Bash and cannot be easily patched. Some may never receive patches from their manufacturers. These 'forever vulnerable' devices persist in networks indefinitely. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for exploitation attempts against known vulnerable devices.
25 Years Undetected
Like <a href="/blog/anatomy-of-a-breach-heartbleed">Heartbleed's</a> two years, Shellshock's 25-year latency demonstrated that critical vulnerabilities can hide in widely-used software for decades. Code review, fuzzing, and security testing of infrastructure components — not just applications — are essential. <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates 14-day critical patching to close these vulnerabilities once disclosed.
Defence

Patch immediately. Monitor everything. Test continuously.

Shellshock required the same response as Heartbleed: immediate patching of all vulnerable systems, monitoring for exploitation attempts, and assessment of whether the vulnerability had been exploited before patch deployment. For systems that could not be patched (embedded devices, legacy systems), compensating controls — network segmentation, WAF rules, and monitoring — were required.

Cyber Essentials Danzell mandates that critical patches are applied within 14 days — a control that addresses Shellshock directly. Our vulnerability scanning identifies Shellshock-vulnerable systems. Infrastructure penetration testing validates that patches have been applied and that compensating controls are effective for systems that cannot be patched. SOC in a Box monitors for Shellshock exploitation attempts. And UK Cyber Defence provides incident response when exploitation is detected.

Vulnerability Management

Shellshock hid for 25 years. Heartbleed hid for two. What is hiding in your infrastructure?

<a href="/vulnerability-scanning">Vulnerability scanning</a> finds what is hiding. <a href="/penetration-testing/infrastructure">Penetration testing</a> validates patches. <a href="/cyber-essentials">Cyber Essentials</a> mandates 14-day critical patching.

Commission a Vulnerability Scan Next: Sony Pictures
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 April 2014

Anatomy of a Breach: Heartbleed — The Bug That Bled the Internet's Secrets

Breach #064. On 7 April 2014, security researchers disclosed CVE-2014-0160 — a critical vulnerability in the OpenSSL cryptographic library that had been present for over two years, affecting an estimated 17% of the internet's secure web servers. Dubbed 'Heartbleed', the bug allowed attackers to read up to 64 kilobytes of memory from any vulnerable server — potentially including private encryption keys, usernames, passwords, and sensitive data — without leaving any trace. The vulnerability that proved the internet's encryption infrastructure had a bleeding wound nobody had noticed.

heartbleed openssl
14 min read
Anatomy of a Breach 30 September 2020

Anatomy of a Breach: Düsseldorf University Hospital — The First Ransomware-Linked Death

Breach #141. In September 2020, Düsseldorf University Hospital in Germany was hit by ransomware that encrypted 30 servers and forced the hospital to deregister from emergency care. A woman requiring emergency treatment was diverted to a hospital 30 kilometres away and died during the delay. German police investigated the case as negligent homicide — the first known instance of a death directly linked to a ransomware attack. The ransomware exploited a known Citrix VPN vulnerability (CVE-2019-19781) that had been patched nine months earlier. The case that proved ransomware against healthcare can kill.

ransomware hospital
14 min read
Anatomy of a Breach 31 October 2017

Anatomy of a Breach: Bad Rabbit and KRACK — Ransomware Returns and Wi-Fi Trust Shatters

Breach #106. October 2017 brought two significant threats: Bad Rabbit ransomware — a successor to NotPetya targeting Russian and Ukrainian media organisations via fake Adobe Flash updates — and KRACK (Key Reinstallation Attacks), a set of vulnerabilities in the WPA2 Wi-Fi protocol that affected virtually every Wi-Fi device in the world. While Bad Rabbit demonstrated that the ransomware threat from Eastern Europe had not abated, KRACK proved that the wireless protocol protecting billions of devices had a fundamental design flaw.

bad-rabbit krack
12 min read
All Posts Get in Touch