Regarding the BASH vulnerability, there is definitely no need to panic

[G+_Donald Burr]

Regarding the BASH vulnerability, there is definitely no need to panic.  First of all, to be vulnerable, your machine has to be running some sort of Internet service (web server, etc.)  Most home users aren't set up this way.

 

Also Padre implied that a lot of Linux embedded devices (most notably Linux-based routers) are also vulnerable.  This is most untrue.  In order to be affected, they must be running the Bash shell, and routers typically aren't set up this way.  In fact they can't run Bash, because Bash is freakin' HUGE, and these little Linux routers are extremely limited, both in processor and memory resources, and so don't have the resources to run a big shell such as Bash.  So router manufacturers typically use a "cut down" shell called BusyBox instead (Busybox is actually an entire collection of cut-down versions of many standard Linux utilities - ls, cp, mv, rm, etc. - all rolled into one app binary.)  (Also the open source router firmwares use Busybox - I can confirm this is the case with both Tomato and DD-WRT.)  And from everything I've read, Busybox does not share any code with Bash, thus is not exploitable by this vulnerability.

 

The same is true of other Linux-based embedded devices too (IP cameras, NAS, etc.)  These devices just don't have the "smarts" necessary to run a "real" shell like Bash.  (Also, there really isn't any need to put something as fancy/complicated as Bash in these devices, since people generally don't need to login to a shell on these devices.)

[G+_Travis Hershberger]

Keep in mind that the software firewalls normally will have a full BASH shell.  I use ClearOS as a firewall/router and it is based on CentOS if I remember correctly (it updated with yum -y update at least.)  So, if you can update, update.  If you can't update, you're most likely ok.

 

To run a quick test copy the following line into the shell prompt:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

[G+_Donald Burr]

Travis Hershberger Yes, of course if your firewall is a full-on PC running linux, then yeah it will have the full BASH.  Fortunately most (if not all) of the major Linux distributions have released a patched version of Bash, and I'm sure the ones that haven't yet are working feverishly on it.