If you have got any CGI scripts, you could be at risk. If they pass any parameters supplied by user as environment variable and it is processed by bash, instead of just setting var it could actually execute command supplied in that var. Needless to say it is no fun at all.

No, it would not break into arbitrary Apache configuration. But if you use CGI scripts, that's a problem. Some people did simple global scan and found about 3000 servers which suffer from this problem even on GET / request. Sure, it takes bad luck. However smarter attacks would do more harm. Say, CPanel would suffer from this problem. At least about 30 000 another servers to pwn for h4x0rz. Hosting companies will have bad day today. It is hard to even predict how many servers will get compromised. I can estimate it is quite a lot.

Then you can use ssh to do some jobs. You can limit job to single command, etc to keep risks at minimum. Yet it can turn out these restrictions are nuff void and such SSH session can be upgraded to fully featured interactive session.

But my favorite would be DHCP pwnage. You've got IP in this net? Okay, DHCP owner possibly got root in your system already. So you would really want to update it. That's what I call real pwnage.

I bet there could be zillions of less obvious examples. All it takes is ability of external user to set environment variable to desired value somewhere. Since these are often used to exchange parameters and bash is quite common on the way, its even hard to predict how and where it would backfire.

And attempts to downplay serious security problem like this is like smoking on barrel of gunpowder. Sure, sometimes you can go unharmed. But quite often it just blows up.

Wikileaks presented the proof months ago and this is indeed happening (things similar to 'great seal bug' for targeted spying), but to this date there is no proof of some well known vendor doing it.
Intel came close with discovery of their 'not so random' random number generator and there was a lot of debate wheather CIA had their hands in it, but nobody knows for sure.

Looks all open to me

I agree. I think it's pretty ridiculous. I also find it hard to believe a problem this "severe" went unnoticed for over 20 years.

Another thing to keep in mind is not all linux distros run bash, and I'm sure most embedded devices don't even have bash installed. But this is just a guess.

Huh, apparently there were two vulnerabilities and one of them isn't yet patched on all systems (including mine...): https://shellshocker.net/#comment-1605401191

Proof? Maybe you also need an official statement?
Nobody will give you "proof", proof is for sheeple waiting for fact handouts (when it's too late).
But smart people knew the government is spying on anyone the can reach out to long before any "proof" from Snowden and such.

link
link

The CPUs aren't the only type of compromised hw.

But doesn't ssh require authentication?

Yeah I have an ISP that doles out an IP address to my router through DHCP. And then my router doles out IP addresses to my devices also through DHCP. So how does my ISP have root into my system?

The way some people are describing it, this wouldn't be just a bash problem but an authentication problem as well. I understand the Apache attack vector, because there is a process running on the machine that runs under that username. But even there I'm not seeing how that elevates to root access w/o some other non-bash weakness.

Because...smart people are psychic?

This is not panicking but rather warning about ***severe*** security issue. Bash got used in so damn many places over course of these years you can't even foretold where it could backfire next time some smartass would try non-standard input with fancy content. Users should update bash too. H4x0rz do not really care if you're user or admin. They are seeking for free resources and there will be no mercy. Bunch of automations already crawling the web, seeking for free lunch. We have to understand it and should not let our systems to get pwned.

Well, I wouldn't tell windows is secure. But we should keep our things secure so we do not follow same fate. That's why bash should be updated here and now. These nuts take a month to release update. Ubuntu and debian took about 24 hours for 2 versions of fix, first one has been incomplete and people soon found another way to fool bash. Sure, releasing patch in 1 day instead of 30 counts, especially when attacks are already at full swing.

And actually, it looks like if you can get pwned by just connecting to puclic wi-fi with this bug, even though it really depends on system configuration and bad luck.

Yes, it does. However, imagine ssh access for git commits. Now imagine it turns into full blown shell. Neat, isn't it? Now every commiter can also run arbitrary crap on that machine. This may or may not be what you want - really depends .

How it happens? Dhcp client in many configurations would exchange information with various hook scripts over env variables. Should one of these vars contain "bad" string from DHCP server and it hits bash - voila, you're pwned. These scripts usually run as root, btw. So it is total pwnage with root shell. This makes it extremely dangerous problem.

FYI, router is also usually some small computer, running compact Linux as well. But this setup is lucky: router would normally use busybox's built-in shell which is NOT affected by this problem. So router could not be pwned this way. So if it is you who controls router, you can assume router would not be hijacked and hopefully it would behave kindly enough. If it is your ISP who manages it, or someone hacked it, they can potentially use it and it's DHCP server as intermediate "base camp" to break into further systems. All it takes is changing DHCP server configuration a bit. This also can be an issue if you're about to connect something like wi-fi net you do not control.

To my taste whole idea to supply data from extarnal world into bash scripts is very questionable in its core. But this occurence is especially evil.

Well, even non-root access is enough to do a ton of nasty things. Since intruders are usually looking for free resources, they'll get what they want. Mining some coins at your expense? So they get profit and you pay electricity bills? Would work! Why not? Sending ton of spam? Or maybe conducting DDoS? Hacking something on your behalf? For outer world it looks like if it was YOU who spams and attacks, all evidence is against you, because it is your computer originates attacks.

So everyonw who is not in mood to be as secure as [Windows XP with Firewall, clickable] should update their bash here and now or they can eventually figure out bash has been used in some hole and some smartass was kind enough to supply strange data right into that hole, making bash to actually execute some commands..