Bear Bibeault wrote:From what I understand, this is not much of a threat for personal systems that aren't running servers that the Net can connect to in order to run bash commands (such as CGI).
But yeah, if you are running servers...
There were some interesting scenarios discussed wherein even home networks could be at risk:
- Many home router web administration pages run over CGI. If they have remote admin enabled and have bash as default shell, then routers can be compromised.
- Some PoC attacks over DHCP have been demonstrated. The idea is that if an ISP's DHCP server can be compromised by other means, then that ISP's customers can be compromised using this bash vulnerability.
posted 4 years ago
If they have remote admin enabled and have bash as default shell, then routers can be compromised.
Many of those -especially newer ones- use Busybox, though, which is not vulnerable since it does not use bash.