OK. Some details, AFAIK:
- The OS X dhcp client is an Apple-written package, and is reportedly not vulnerable to rogue dhcp servers. There's a proof-of-concept rogue dhcp server available, so you can verify vulnerable clients locally.
- bash-based Apache CGI scripts are vulnerable. Very few folks have those bash scripts around. Check your local system.
- local privilege escalations are possible, so folks with command line login access can get root. On most Macs, it's usually only admins and support folks and occasionally the end-user that are accessing the command line anyway, and those folks already have root.
Current list of "Shellshock" bash-related CVEs:
There are issues for folks with local bash access. But then folks with local access can toss a fork bomb at your computer, or fill your disks, or otherwise cause you problems. As for remote access, you need to have Apache or another web server running or some other way to get at some local bash scripts (captive bash logins or software using scripts and AJAX), and you need to have some bash scripts around to exploit, so... I've checked for scripts, set up some filters, and am going to wait for Apple to issue a patch.
As for the more general mess, it's not OS X. It's likely embedded devices running vulnerable versions of bash. These can include NAS devices, network load balancers, and other such gizmos. OS X client is not likely vulnerable without locally having opened up remote (web, command line, etc) access, and OS X Server vulnerabilities are presently apparently quite limited, but there are reportedly shellshock-based bugs in (for instance) the F5 BIG-IP load balancer web administration.
If you have a decent firewall in front of your network and if haven't opened ports (save via VPN) through that firewall, then nobody can even get at your Macs.
