HathiTrust Statement on US-CERT CVE-2014-6271/CVE-2014-7169, "Shellshock" Bash Vulnerability

October 7, 2014

On September 24, the US Computer Emergency Readiness Team (US-CERT) announced a serious vulnerability in bash, a system-level command environment and scripting interface that is ubiquitous in Linux and Unix systems.

The vulnerability allows attackers to execute arbitrary commands on web servers via specially-crafted requests.

In short,

  • HathiTrust infrastructure was only negligibly vulnerable, as there was only one user interface function in HathiTrust that employed bash, and that function require authenticated access.
  • Developers resolved this limited vulnerability by removing the use of bash for this user interface function on September 25 at 11:20am ET, approximately 25 hours after the vulnerability was widely announced.
  • Per standard security practice, bash was updated on HathiTrust systems later the same day, at 5:35pm ET, when a fix was made available.

Additionally, HathiTrust web service architecture employs a common security feature known as privilege separation, wherein web applications have minimal system privilege. This feature substantially limits the impact of attacks via vulnerabilities such as Shellshock that rely on web applications with broad system privilege.

Additional details about the vulnerability itself:

  • The concept of a "shell" in Linux or Unix systems refers to a thin (simple) layer around the core of the operating system that provides a basic command-line interface to the system for human users. The Bourne Shell, sh, was the original shell. The Bourne-Again Shell, bash, is its modern descendant, by far the most popular shell in use today. Hence, the vulnerability is referred to as "Shellshock".
  • Shellshock received broad publicity, similar to the Heartbleed vulnerability earlier this year, primarily because of a) its widespread nature and b) the relative simplicity of exploiting it. The actual vulnerabilities are quite different. Whereas Heartbleed left sensitive information vulnerable to exposure, Shellshock allowed for arbitrary (shell) commands to be run (subject to the limitations of privilege separation, above).

See US-CERT TA14-268A [] for additional information.