If I have a VPS and just connect to it using SSH - am I vulnerable ?<p>or am I vulnerable through my home router ? I have no idea about the firmware on it. Is it possible that shellshock might have an effect on it ?<p>in short - what sort of use cases I should worry about ? I have not seen anybody explaining possible attack vectors about this thing yet... anybody have an idea ?
SSH is calling a shell. If it is bash and the vulnerability test is positive <a href="http://fedoramagazine.org/shellshock-how-does-it-actually-work/" rel="nofollow">http://fedoramagazine.org/shellshock-how-does-it-actually-wo...</a> then your VPS is vulnerable and you better patch it.<p>To other posters. This vulnerability is so trivial (it creates a function in an environment variable), not some kind of sophisticated buffer overflow etc., that I wonder if this was once a bash feature.<p>Any comments?
It's likely that your home router is behind NAT, so unless you're using DynDNS or a static IP address to make it reachable from the Net, you're probably safe there.<p>Supposing that there's no uPNP enabled, no government trojans on it, and no script kiddies on your subnet.