BusyBox does not appear to be vulnerable ( https://twitter.com/tehowe/status/514859890662440961/photo/1), but it does appear that CyanogenMod is providing Bash in some of their Android custom ROMs, and thus they are vulnerable...
http://forum.cyanogenmod.org/topic/100053-bash-also-vulnerable-to-cve-2014-6271-on-cm11/ *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market...* On Thu, Sep 25, 2014 at 11:15 AM, Joe Smith <[email protected]> wrote: > On Thu, 25 Sep 2014, Ben Scott wrote: > > > The one saving grace there is that bitty boxes often don't install > > Bash, since Bash has a relatively large footprint[1]. They'll often > > go with a smaller shell, like zsh, nash, dash, etc. Of course, you > > can't *depend* on this without checking first. And good luck getting > > answers from your typical bitty box vendor. > > Most opensource based routers have a reduced footprint shell, and many use > the BusyBox core shell which provides whatever shell tools the router may > have available. BusyBox is based on the "ash" shell which may or may > not be vulnerable.. http://en.wikipedia.org/wiki/BusyBox > > > > >
