It is primarily services (daemons) such as DHCP that call bash internally that are likely to be vulnerable. DHCP input should be sanitized, but then so should any daemon input string. Historically that has not always been the default. However, that's also the reason that most user OSX installations should be safe - they are not running external service daemons. Servers, such as websites, mail relays, DHCP, and other open ports etc., would presumably be the immediate concern.