Now let’s see how a bash exploiter can exploit ZS:
* From the internet: The ZS UI by default restricts access to its web UI to private IP ranges. If you’re foolish enough to override this default, there’s the next problem:
* The admin credentials: To even see the UI CGI you need the admin password. If you have teenage kids behind your ZS router, you likely have a better password than ‘password.’ I hope.
* Malware on the inside network: That’s assuming you administer ZS from an infected PC; if so, you have worse problems than malware exploiting your router. And I have a whole web series on preventing unwanted software, at least on Windows clients.
* Captive Portal or optional Squid Proxy: Isn’t this built with hostile clients in mind? There are a handful of examples of blocking inbound SQL exploits that could apply to a Squid running on ZS that’s caching outbound requests; block bash escape sequences like one would block SQL ones.
If you’re a ZS admin who’s really worried about this until Fulvio releases a fix, make sure the web UI is restricted to NICs and IP ranges you trust, and pick a strong admin password. If you use captive portal, add some URL filtering and you might even catch your own users exploiting outside hosts.
Above all, don’t panic.