Recent Posts

BASH Shell Security Issue

We at INFINIT are always on top of all security threats. This latest threat affects the BASH shell, used by many UNIX and Linux systems.

BASH Vulnerability CVE-2014-6271 Security Brief


On 9/24/2014, a vulnerability in BASH (Bourne-Again SHell) was discovered and reported to the National Institute of Standards and Technology (NIST). The vulnerability has been assigned CVE-2014-6271.  BASH is installed on most UNIX and linux systems and is commonly configured as the default shell.

The vulnerability takes advantage of how BASH processes environment variables to execute commands on the target system. Environment variables can be set through any method available which allows the attacker to interact or pass input to BASH.


The system is vulnerable through authenticated or brute forced SSH/telnet sessions and via exposed web libraries (CGI, Python, Perl, etc) that are configured to pass input to a shell script which uses BASH as the interpreter. The vulnerability is remotely exploitable via the Internet if any of these services are exposed to the Internet. Common ports for web services include 80, 8080, 443, however many web management interfaces are configured to use custom ports. Please check with your vendor configuration documentation to determine which port your service uses.

Exploits for this vulnerability have been published and are easily obtainable. The vulnerability is not limited to “Servers”. Appliances and devices with a web interface or exposed shell interfaces are also vulnerable. Examples include: Web Management interfaces for appliances and devices such as IP Phones, Network Attached Storage Devices, Wireless Routers with Web Interfaces, and other web services.


It is recommended to patch BASH at the earliest possibility. Please check with your Operating System and Vendor websites for patch availability. Most popular Operating Systems such as CentOS, Ubuntu, and Redhat have already released patches for this vulnerability.  Any appliances and virtual appliances running UNIX or linux may be vulnerable as well so please include them in any testing and patching conducted.


CVSS Score

10 (HIGH)

Impact Score


Exploitability Score


Exploits Available?


Remotely Exploitable?



Redhat Security Blog

NIST CVD Listing

Redhat Resolution Post

CentOS Post

Novell Post

Manual Method for Testing If Your Operating System is Vulnerable

Technical Information About the Vulnerability


Test here to see if you are vulnerable:

Get expert guidance from your trusted advisor

Contact us today to discuss how we can unleash the power of technology for your business