This is very common in servers including Linux based servers where just about everything you do (even in a UI) is just processing shell code. As an example when you pull up a listing of users in Exchange 2010 you are simply seeing the output of the shell command Get-Mailbox. The Exchange Management Console executes this shell command behind the scenes and gives you a pretty output.
The same thing can be said for many systems exposed to the internet where low level shell commands drive everything. This means that Bash is a very big threat, one as large if not larger than what we saw with Heartbleed. Heartbleed allowed someone to jump in on a session and gave them access to the system. This new bug give an attacker shell level access and the ability to process code at a very basic level. It is almost a hacker’s dream. The only thing missing is the holy grail of permissions (Ring 0), but even without that this is very dangerous.
Right now there is an even bigger concern over older web servers and, of course, internet of things devices. Most older web servers and even newer IoT devices rely heavily on CGI and java scripting to function. Due to this reliance there might not actually be a way to patch them. It is something of a nightmare especially when it comes to IoT devices which are often exceptionally exposed due to poor security planning.
Right now the bug has not been used in any known form of malware although it is certainly feasible that someone has used it before, but not on a large scale. It really is only a matter of time before this becomes more widely known and the “bad guys” start to use it. The simplicity behind the flaw means that it can be put into place with little effort. This is exactly the type of flaw that will attract the bigger criminal organizations. They like low effort, high-yield flaws and this one ranks right up there. We will be keeping a close eye on this one and update you with any new information.
Tell us what you think