Read: Shellshock BASH [Injection] Exploit

In case you havent heard about the Shellshock Exploit yet - It is a hot topic today in the newzzz, if you use Apple OSX, Linux server, or other devices that use BASH or Cygwin as a shell, and/or still use public facing CGI scripts, you should probably read this:

http://www.troyhunt.com/2014/09/everyth ... about.html

The crazy thing is that its been a vulnerability since the Bourne shell went BASH like 20+ years ago but folks just now caught on. There is no patch yet that actually fixes it (as of Sept 25th) but there are already many hundreds of scripts to abuse it. Apparently BASH 4.3 is not vulnerable so update if you can, or switch shells till things cool off.

As far as devices go, if they're public facing in any way try to upgrade those as well, although a shell switch is often not feasible. If your device has the equally old school BusyBox it should be safe, its just a BASH thing.

Just sharing for ya'll!

There was a patch published yesterday. Was working late last night patching servers. Unfortunately they messed up and didn't completely close the exploit. RedHat does claims it's less severe though.

Hopefully they get it squared up. Its this issue if ya'll are curious about the 2nd patch https://access.redhat.com/security/cve/CVE-2014-7169

BASH comes with git for Windows and is included in some SDK's, just be aware of that if you use that stuff. Im sure they will patch it soon too.

Also, if you use CloudLinux or other Dockers/Jails/Containers it *appears* to be fixed even without patching using an older BASH version -- not sure if it actually is though. Tested it on ours and it passed with v4.1.x. False positives perhaps, just be aware of that too.

Couple more angles, apparently fail2ban has a jail http://www.stopforumspam.com/forum/view ... 602#p41602

Also higher up in that post, there is an example of scan that doesnt use () { etc. Reviving existing URi exploits on routers to stak em up ahead of your apps...think appliance level: