Security Experts:

Connect with us

Hi, what are you looking for?



Shellshock Attacks Still Cheap and Easy: IBM

Two and a half years after being discovered, the Shellshock vulnerability continues to be abused in attacks, and for a good reason: it is a very cheap and easy attack, IBM says.

Two and a half years after being discovered, the Shellshock vulnerability continues to be abused in attacks, and for a good reason: it is a very cheap and easy attack, IBM says.

Discovered in September 2014, Shellshock is a vulnerability found within the bourne-again shell (BASH), the default command shell in almost each and every Linux and Unix system at the time. An attacker able to abuse the security flaw could execute commands with super-user privileges remotely.

Tracked as CVE-2014-6271, the issue was found to affect a great deal of devices, including Web servers and Internet-of-Things (IoT) devices such as DVRs, printers, automotive entertainment systems, routers and even manufacturing systems. Mac OS X systems were also impacted.

With many applications relying on BASH, an attacker could exploit the vulnerability by sending a command sequence to the web server to be interpreted with the BASH. Attacks abusing the security issue were reported immediately after the vulnerability became public knowledge.

In July 2015, researchers warned that Shellshock was still being abused, and the attacks continue nearly two years later. Many vulnerable devices haven’t been patched to this day, and attackers are enticed to continue hitting those targets.

“Attackers need only a server, basic programming skills and access to malware to carry out this type of attack. The level of knowledge and effort required is quite low. Fraudsters can simply launch attacks against hundreds of different IP addresses per minute and wait to hit a vulnerable server by chance,” IBM’s Joerg Stephan explains.

To carry out a Shellshock attack, an attacker only needs to spend around $5 a month, Stephan says. For just over $30, an attacker could target around 1 million servers within a six-month period, which could translate into 100,000 victims, as roughly 10% of all servers remain unpatched, IBM says.

To set up the attack, an actor would need a webserver to host the malicious code, which can be an Apache or lighthttp server. To show just how simple it would be to come up with the necessary code, IBM’s researcher published some basic Python code that can do the trick.

A bash script would download a bot from the server, save it to a certain path, make the file executable and run it, and could also include a line to execute the bot after each reboot, for persistence. Next, an attacker would need to get the target to execute the BASH script and execute it, to exploit Shellshock.

“With some more scripting effort, you could easily execute the curl statement against a full network range, or even the whole internet, but it will take a while,” the researcher says. In the end, however, the verdict stands: setting up a server to run Shellshock attacks for months is so cheap that the vulnerability continues to be of interest.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.