Overview
It has been found that GNU Bash 4.3 command shell, and earlier contains a command injection vulnerability that may allow remote code execution. Bash supports exporting of shell functions to other instances of bash using an environment variable. This environment variable is named by the function name and starts with a "() {" as the variable value in the function definition. When Bash reaches the end of the function definition, rather than ending execution it continues to process shell commands written after the end of the function. This vulnerability is especially critical because Bash is widespread on many types of devices (UNIX-like operating systems including Linux, BSD, and Mac OS X), and because many network services utilize Bash, causing the vulnerability to be network exploitable.
D-Link is currently investigating its product-lines and will continue to update information.
As of September 24, 2014, D-Link consumer wired/wireless routers and wired/wirless network cameras do not utilize the Bash command shell.
References
CERT Vulnerability Report: VU#252743 - http://www.kb.cert.org/vuls/id/252743
Other relavant articles recommended by CERT:
https://access.redhat.com/node/1200223
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html
https://blogs.akamai.com/2014/09/environment-bashing.html
Description
In order to maintain author's intent of the disclosure please read at: http://www.kb.cert.org/vuls/id/252743
Recommendation
Please update your device firmware if your product is referenced under affected products below. Continue to monitor this page until we have completed our investigation and changed the status to closed.
We recommend all networks are proteced by a firewall or better security policy to mitigate a malicious remote user attacks.
All devices on your network should have log-in credentials and WiFi encryptiion-keys enabled, if applicable.
WiFi encryption reduces the risk to this vulnerabilty if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption.
Please be aware that "Shell Shock" creates largest risk for Personal Computers and Servers that utilize the Bash command shell. Please consult your manufacture or operating systems vendor for information and updates. If a computer becomes compromised, it maybe used to compromise networks without your authorization, which puts all other network devices at risk.
D-Link Systems (D-Link US) reminds customers to configure their devices specifically to the for security concerns with in each network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enable WiFi encrytion, and evaluate all security risks for your network regularly.
Affected Product
None. All D-Link Devices and Software have been cleared and are not affected by this vulnerability. All D-Link Services have been audited for the use of bash shell implementations. Based on the results of the audit we have applied appropriate updates, if required to close this potential vulnerability. D-Link continues to monitor CERT incase of further issues are reported about the Bash Shell. (Edited: 10/06/2014 15:52 PST)