Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Tech Firms Begin Rolling Out Patches For ‘Shellshock’ Bug

Security Information on CVE-2014-6271

Security Information on CVE-2014-6271

Several organizations that use the GNU Bourne Again Shell (Bash) in their products have been hard at work producing software updates to address the recently discovered vulnerability dubbed “Shellshock” or “Bash Bug.”

GNU Bash is a command-line shell used in Linux, Unix and Mac OS X operating systems which is installed not only on personal computers and servers, but also installed on other connected “Internet of Things” (IoT) devices. The vulnerability (CVE-2014-6271) affects version 1.14 and later of the shell and can be exploited to execute arbitrary commands and take over affected machines.

Red Hat published a security update shortly after the existence of Shellshock came to light. However, it soon became clear that the fix had been incomplete since, according to Red Hat, “Bash still allowed certain characters to be injected into other environments via specially crafted environment variables.” This second issue has been assigned CVE-2014-7169.

On Friday, both Red Hat and Fedora released patched versions of Bash to address this vulnerability. 

Over the weekend, Cisco confirmed that some of its products are affected by the vulnerability. The list includes network application, service, and acceleration products; network and content security devices; enterprise and service provider routing and switching solutions; unified computing; voice and unified communications devices; and video, streaming, telepresence and transcoding devices.

Several solutions shipped with or ones that leverage affected versions of Bash are still being investigated, Cisco said in its advisory. The company has released software updates to address the vulnerability.

Oracle has also started patching its products against CVE-2014-7169. The company has identified more than 40 solutions that are vulnerable, but so far it has produced software updates for only six of them: Oracle Database Appliance, Oracle Exadata Storage Server Software, Oracle Exalogic, Oracle Exalytics, Oracle Linux, and the Solaris operating system.

While many members of the security industry have warned that the Shellshock vulnerability might affect a lot of IoT devices, Red Hat has clarified in an FAQ that many embedded devices actually utilize more lightweight solutions, such as BusyBox, which includes a shell that is not vulnerable.

Mac OS X systems are affected by the flaw, but Apple has clarified that users should not be concerned, unless they have configured advanced UNIX services. The company says it is working on a patch for advanced UNIX users. Mac security firm Intego has published a blog post detailing two possible attack scenarios.

In the meantime, cybercriminals have already started exploiting the vulnerability in the wild. Trend Micro has observed several pieces of malware that leverage the flaw, including an IRC bot.

Related Reading: What We Know About Shellshock So Far, and Why the Bash Bug Matters

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.