Unpatched bash allows for remote code execution.
Patch as soon as you can and be aware that the current patches might not be complete.
Many vendors (including Debian, Red Hat, SuSE, Ubuntu) already have patches available: CERT/NIST reveal level 10 bash alert today, 24 September 2014.
This is a long article which explains the why/how/… and has an easy check to see if you are vulnerable: What is the CVE-2014-6271 bash vulnerability and, how do I fix it.
It looks like the current patches aren’t complete yet, but do plug big parts of the hole.
- Easiest test through https://github.com/hannob/bashcheck:
curl https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck > bashcheck.sh
less bashcheck.sh # check if there is nothing fishy
chmod +x bashcheck.sh && ./bashcheck.sh
- On a Mac: OS X – How do I recompile Bash to avoid Shellshock the remote exploit CVE-2014-6271 and CVE-2014-7169? – Ask Different.
- Shellshock BASH Vulnerability Tester.
- Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant – NYTimes.com.
- Lots of exploit examples: What is a specific example of how the shellshock bash bug could be exploited? – Information Security Stack Exchange.
- Bash Code Injection Vulnerability CVE-2014-6271 – Red Hat Customer Portal.
- Bash Code Injection Vulnerability via Specially Crafted Environment Variables CVE-2014-6271, CVE-2014-7169 – Red Hat Customer Portal.
Quote from the article: