It's hard, but not impossible. Apparently your DHCP client passes responses from the DHCP server to bash.

Let's say, for the sake of argument, that your ISP's DHCP server is compromised. A worm could then spread to your system from it.

This is entirely hypothetical, but not impossible.

What responses does it pass, does it not sanitise them? Can anyone link to details of what DHCP does that's relevant here? Thanks.

Looking at http://code.metager.de/source/xref/isc-dhcp-debian/client/dh...

It seems that server_name from DHCP response is passed to environment variable without sanitising.

  3437		if (check_option_values(NULL, DHO_HOST_NAME,
  3438					lease->server_name,
  3439					strlen(lease->server_name)) == 0 ) {
  3440			client_envadd (client, prefix, "server_name",
  3441				       "%s", lease->server_name);

And script that is run after that (dhclient-script) is written in bash at least on Debian.

check-option_values() actually checks DHO_HOST_NAME to be only alphanumeric and '.':

See code here: http://lists.alioth.debian.org/pipermail/pkg-dhcp-commits/20...

to bash? or to /bin/sh? Or the user shell? On Ubuntu you are fine unless it explicitly calls bash or (unlikely) uses the user shell.

Ouch, what a mess. Thanks for the warning.

Is it connected to the internet? Then patch it. While you can't think of anything that could remotely execute it, you'd be damn surprised how large the attack surface is for this exploit, and how flexible it is. It's a Big Deal(TM). Everything in a Linux system uses bash (hyperbole, but not too far from the truth), and all it takes is one of those not sanitizing input and it's game over :(

Basically, it may not be as immediately exploitable for desktop systems without a web-server as other bugs have been, but I wouldn't be surprised to see something pop-up in the near future.

Yeah, the annoying thing is it sounds like there isn't a full patch yet and new vulnerabilities are being discovered. Just trying to understand if I should shut the machine down until everything is sorted out.

There's no need to shut it down. If you're concerned for some reason (if you have important data on it and/or use it on untrusted networks), just remove bash or at least make it unexecutable.

A fair bit of warning though that some scripts might break, but at least you know why (if the alternative is to turn off the machine until you trust bash again then you may have to wait forever).

On a standard Ubuntu or Debian most shell scripts uses dash anyway so it shouldn't be too bad.

The ecosystem of linux software that shells out to bash is ridiculous, and coercing an env var is a very light requirement.

Virtually any software that takes input from the internet can be a target, and enumerating the combination of versions and configurations is futile. We all need a working bash patch.

Not running a webserver protects against GET spray-n-pray, but you shouldn't feel safe.