No, CGI is just the most obvious use of user-controlled environment variables. Other systems may also set environment variables to user-controlled strings for whatever reason. If such a system ever invokes bash, even indirectly or implicitly, with user-controlled environment variables set, that system is vulnerable.
Example non-CGI vulnerable systems from RedHat: CUPS, dhclient.
Can someone from the internet use this type of attack through CUPS or dhclient then? I was asking about external attacks, not users that are already on the system.
dhclient: sort of. If you connect to a malicious access point, or someone runs a rogue DHCP server on a network you trust, they could potentially attack dhclient.
CUPS: If you are exposing a CUPS server to the Internet to allow remote printing.
OK so are those the only ones you know of? I am going to patch but just wondering about this category of attack in a more general sense so want to make sure I understand the scope of this particular one.
So say I have a server that is running a VPN (tinc). Then another system is connected to that same VPN network. Are you saying that by running a DHCP server on the second system, my server could be compromised?
It's impossible to enumerate all evil. There's no way of knowing what else is vulnerable until it's demonstrated to be vulnerable. I've commented elsewhere, though, describing what types of function calls and programs are likely to be vulnerable.
Example non-CGI vulnerable systems from RedHat: CUPS, dhclient.