The best way to find out if you're vulnerable is by testing. It takes just a few minutes to set up dnsmasq to serve up an exploit. Here were my settings:

  interface=eth2
  dhcp-range=10.0.1.100,10.0.10.200,12h
  dhcp-option-force=114,() { :; }; echo "hi"

If any bash scripts are called, with the environment variables that are set by dhclient, then that snippet should be run. If bash is not invoked, then that snippet won't ever run.

  interface=eth2
  dhcp-range=10.0.1.100,10.0.10.200,12h
  dhcp-option-force=114,() { :; }; echo "hi"

  iface eth0 inet dhcp

  sudo ifdown eth0 && sudo ifup eth0

But dhclient calls dhclient-script to execute various hook scripts, and dhclient-script uses #!/bin/bash and is thus vulnerable.

On my particular Debian system, it doesn't look like NetworkManager based DHCP is affected, as it doesn't call the dhclient-script. It does call various scripts in /etc/network/if-*.d/, but none of the ones that I have installed use bash, they all use sh. However, if I deliberately put a bash script in there, and attach it to the network with the rogue DHCP server, it does get passed the bad environment variable (though on my Debian system I've already updated Bash so I just get the error message rather than the exploit).

So yeah, there are a a lot of ways for a stray Bash script to cause problems here.

Is that really what you are advocating here? Don't ever use shell scripts with untrusted data? That has been my philosophy for a long time, but up till now that position has been viewed as extreme by most people I've shared it with.

[1] there are still exploitable bash parser issues to be revealed http://seclists.org/oss-sec/2014/q3/777

It's certainly possible to be at risk if, for instance, you had a CGI script that was specifically written in bash (i.e. starts with "#!/bin/bash") but that's a lot less likely.

So definitely patch your Debian/Ubuntu/etc machines but do your Redhat-based ones (and other places where "/bin/sh --version" indicates that it's bash) first.

Are you running a Web server that uses CGI scripts written in shell or plain C that uses system() call? If you do, you have had other problems long before.

There are some grumblings about DHCP _client_ setups on Linux passing parameters via environment variables to shell scripts executed by bash, but I am yet to see this. This would be a problem, but probably easily fixable.

No need to panic or even patch anything (as always). If you running servers on your machine and allow inbound connections you should know exactly what those servers are and what they execute on behalf of external users.

This is NOT remotely exploitable.

It's an ad campaign for "security researchers" people.

Are you running a Web server that uses CGI scripts written in shell or plain C that uses system() call? If you do, you have had other problems long before.

There are some grumblings about DHCP _client_ setups on Linux passing parameters via environment variables to shell scripts executed by bash, but I am yet to see this. This would be a problem, but probably easily fixable.

No need to panic or even patch anything (as always). If you running servers on your machine and allow inbound connections you should know exactly what those servers are and what they execute on behalf of external users.

This is NOT remotely exploitable.

It's an ad campaign for "security researchers" people.

Are you running a Web server that uses CGI scripts written in shell or plain C that uses system() call? If you do, you have had other problems long before.

There are some grumblings about DHCP _client_ setups on Linux passing parameters via environment variables to shell scripts executed by bash, but I am yet to see this. This would be a problem, but probably easily fixable.

No need to panic or even patch anything (as always). If you running servers on your machine and allow inbound connections you should know exactly what those servers are and what they execute on behalf of external users.

This is NOT remotely exploitable.

It's an ad campaign for "security researchers" people.

1. The released patch (and subsequent update for many distributions) fixed the only currently-known remotely exploitable version of the bug. The cases found afterward are a different bug, and so far there's no publicly known way to remotely exploit it. These other bugs were published to demonstrate that there are deeper flaws in bash's parsing of environment variables. If you have updated bash with the most recent fix, the odds are in your favor that you're going to be just fine.

2. "Routers, web cameras, SIP gateways, NAS’s" & etc. all need to be running a variant of bash to be exploitable. dash doesn't have this problem. ksh, csh, other shells don't have this problem. ash, used by BusyBox, doesn't have this problem. BSD-based systems don't have this problem (except in rare circumstances).

3. DHCP exploitation requires that you have network-start scripts that are run by bash on your system, and you're getting DHCP from a compromised host.

4. Yes, ssh hosts are vulnerable -- if you already have ssh access to those hosts and your shell is bash. This bug doesn't give most users a level of access that they don't already have. But, it can mean that if a user is restricted to specific commands for sudo without being prompted for a password, then they can run arbitrary sudo commands, which isn't very nice.

5. And yeah, mass-scanning started late last night and the first examples of malware using this as a vector are being seen. As scanning techniques improve -- currently they're pretty rudimentary -- more and more hosts will get compromised.

Keep calm and update bash.

Just because bash is vulnerable in this case doesn't mean that networkd/network-manager will never be vulnerable.

Then you have to configure the service in such a way to actually be vulnerable, and these are not commonly configured options.

The attacker also has to have a local privilege escalation vulnerability to exploit as well, or they're trapped as the CUPS user once they do bust in.

I don't think that the level of panic I have seen on other Hacker News threads and elsewhere on the Internet is warranted. Comparing this to Heartbleed is pretty absurd; TLS vs bash CGI is no contest in terms of deployment size.

I'm mainly concerned with public-facing, large scale web services, and in that area:

1. CGI in general and bash CGI in particular are basically unheard of.

2. system() in other scripting languages might be used, BUT to be vulnerable you have to pass through user-supplied data as environment variables without sanitizing. This was always an exploit waiting to happen.

3. ssh accounts with a command forced in authorized_keys are potentially problematic, but this would only be from users who have some relationship to your service in the first place. Personally I think a restricted shell (rsh or git-shell or whatever) is a more common option, simply because who knows what bash might get up to.

4. DHCP client scripts on Linux is an interesting exploit path, and might be a problem for laptops on shared wifi, but for the majority of Linux servers there is no attack vector. They live on controlled networks where rogue DHCP servers can't be operated.

So yes, patch the vulnerability and audit your systems and code. Also keep the response proportional to the vulnerability, this one needs a lot of other things to fall into place to be exploited.

In other words, if Apache/dhclient wants to put things into environment variables, it absolutely should make sure to do this properly and indeed to take into account all possible contexts.

Notably, attackers in an unhardened network can reply to DHCP clients themselves, even if there's already a DHCP server on the network. So it's not just the sysadmin who can exploit this, but anyone on the same network (broadcast domain) as the vulnerable DHCP client.