Symantec has released an infographic explaining what the Bash Shell Shock vulnerability is about and the mitigating factors.
Has it been exploited yet?
There are limited reports of the vulnerability being used by attackers in the wild. Proof-of-concept scripts have already been developed by security researchers. In addition to this, a module has been created for the Metasploit Framework, which is used for penetration testing.
Once the vulnerability has been made public, it was only a matter of time before attackers attempted to find and exploit unpatched computers.
How can it be exploited?
While the vulnerability potentially affects any computer running Bash, it can only be exploited by a remote attacker in certain circumstances. For a successful attack to occur, an attacker needs to force an application to send a malicious environment variable to Bash.
The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.
What Can You Do?
For website owners and businesses
Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network. Accordingly, it is of critical importance to apply any available patches immediately.
Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.
- Red Hat—https://access.redhat.com/articles/1200223*
- Novell/SUSE— http://support.novell.com/security/cve/CVE-2014-6271.html
*Red Hat has updated its advisory for this vulnerability, noting that its initial patch is incomplete.
If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.
Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.
You can read more details on http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability