Most interesting thing to me is that this vuln has been around for close to 25 years.
From: [email protected] [mailto:[email protected]] On Behalf Of Andrew S. Baker Sent: Thursday, September 25, 2014 11:23 AM To: ntsysadm Subject: Re: [NTSysADM] Major Bash Vulnerability -- ALL versions BusyBox does not appear to be vulnerable (https://twitter.com/tehowe/status/514859890662440961/photo/1), but it does appear that CyanogenMod is providing Bash in some of their Android custom ROMs, and thus they are vulnerable... http://forum.cyanogenmod.org/topic/100053-bash-also-vulnerable-to-cve-2014-6 271-on-cm11/ ASB <http://xeeme.com/AndrewBaker> http://XeeMe.com/AndrewBaker Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market. On Thu, Sep 25, 2014 at 11:15 AM, Joe Smith <[email protected] <mailto:[email protected]> > wrote: On Thu, 25 Sep 2014, Ben Scott wrote: > The one saving grace there is that bitty boxes often don't install > Bash, since Bash has a relatively large footprint[1]. They'll often > go with a smaller shell, like zsh, nash, dash, etc. Of course, you > can't *depend* on this without checking first. And good luck getting > answers from your typical bitty box vendor. Most opensource based routers have a reduced footprint shell, and many use the BusyBox core shell which provides whatever shell tools the router may have available. BusyBox is based on the "ash" shell which may or may not be vulnerable.. http://en.wikipedia.org/wiki/BusyBox
