A critical vulnerability has been found in a large number of operating systems that may effect commercial and consumer electronics. This vulnerability effects a component of the Linux operating system.
Specifically, GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. CIT’s clients that are fully managed don’t need to worry too much about this vulnerability. For any systems we are managing, we will be performing offline regression testing and applying patches to those systems.
For other commercial businesses, careful attention should be paid to this vulnerability. “I don’t expect a large number of day-one exploits from this vulnerability. Rather, I expect unpatched systems to be compromised over the course of months and years.” Says CIT’s Lawrence Cruciana. “This vulnerability is an especially potent threat simply because nothing will stop working because of it. Attackers will have the opportunity to pick and choose their targets using automated bots to scan and exploit the vulnerability. Nearly anything is possible with this type of threat; Information gathering, backdoor access, or even participation in a bot-army. With the increased number of integrated electronic systems utilizing Linux – everything from TV’s to Toasters – the latent threat to many corporate networks will come from the myriad of these devices that will remain unpatched. Imagine your conference room TV participating in the next bot-army attack. It’s possible, even likely, should this exploit go unmitigated.
What should you do:
Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.
Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 .
CIT agrees with US-CERT and recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit.
The source article for your reference and if you want to pull more information out – GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169)