Shellshock Highlights Difficulty In Determining Exploitability

We are all familiar with the shellshock issue in bash.   We know that it’s exploitable via CGI on web servers, through the DHCP client on Linux systems, and can bypass restrictions in SSH.  Yesterday, a new spate of techniques were discussed pretty widely, through OpenVPN, SIP. and more.

This isn’t necessarily a problem with OpenVPN and SIP.  This is still a problem with bash.  These discoveries should highlight the importance of patching a for problem like shellshock quickly, rather than assuming our system is safe just because we are not running a web server, using a static IP and don’t rely on SSH restrictions.  If it’s running OpenVPN, it’s exploitable (if username/password authentication is used).  The broader point however, is that we could be finding innovative new ways to exploit shellshock through different services for months.

Just patch bash.  And get on with life.