[f00ber]

Oh stop this stupidity already. If you are not running a Web server that spawns bash when serving an HTTP request, then you are NOT vulnerable.

Are you running a Web server that uses CGI scripts written in shell or plain C that uses system() call? If you do, you have had other problems long before.

There are some grumblings about DHCP _client_ setups on Linux passing parameters via environment variables to shell scripts executed by bash, but I am yet to see this. This would be a problem, but probably easily fixable.

No need to panic or even patch anything (as always). If you running servers on your machine and allow inbound connections you should know exactly what those servers are and what they execute on behalf of external users.

This is NOT remotely exploitable.

It's an ad campaign for "security researchers" people.

[clarry]

It is hilarious that you claim this is not remotely exploitable in response to a post describing how a very simple and limited scan has already found thousands of vulnerable hosts in a short timeframe.

And I dare say there are lots of admins who do not know exactly what their servers are going to execute because they're using software written by other people. That's why we call them admins, not software developers.

By the way, system() can be used in quite a lot of languages, not just in plain C.

And there are definitely more attack vectors than CGI. CGI is just the most obvious one.

[f00ber]

Well, let these _admins_ worry about this. This is of no concern for the moment for a regular Linux or OS X user.

Now, an admin _must_ know every service running on entrusted boxes facing the Internet. CGI scripts hopefully are not common these days. If you run them do stop for other reasons.

So far every "attack vector" implies having shell access to the target machine in some form. No need to panic for majority of people.

[ccvannorman]

Can you clarify this? As a Mac OS X user who connects to public wifi often, I'm still in the dark about whether I should literally turn off my wifi for now..

[eropple]

Or, you know, running Rails with Passenger.

[bodyfour]

> plain C that uses system() call?

Lots of code uses system()/popen() etc. If no user-controlled input is passed in as an argument, most people would have not considered that a potential vulnerability. More software than you think is going to be affected.

[f00ber]

Please give me an example of how somebody not running a Web server and a collection of CGI scripts is affected. A git server? Are you running one of these? Move on, nothing to see for most of us.

[clarry]

You're in the wrong place. Hacker News isn't "Linux Grandmas' User Group". We're a varied bunch, many of us are admins or software developers, and yes we operate servers. For a living or otherwise. Security announcements like this are both interesting (hackers, remember?) and relevant to what many of us do.

[regularfry]

Forgive me if I've misunderstood the problem, but isn't, for instance, a perl cgi script which happens to shell out to bash for some incidental functionality also vulnerable? The environment variable should get inherited.

[Silhouette]

Yes. Just about anything that winds up running bash with an unsanitized environment that an attacker could influence is potentially vulnerable. The GP poster has no idea what they are talking about.

[stripe]

Then this might be news to you:

https://gist.github.com/anonymous/929d622f3b36b00c0be1