plugout.net

[favroom]

I tested for the shellshock vulnerability using this script in a shell:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Our bash version is vulnerable!

I deleted all port forwarding rules to my nas...

Is this the right place to post Security related matters?

Ferdinand

[fvdw]

thanks for reporting this , we will fix it
What version of fvdw-sl are you running ?

[fvdw]

Hi Ferdinand and other , we have released a patch to eliminate this vulnerability

viewtopic.php?f=7&t=1960#p16216

[favroom]

Hi Ferdinand and other , we have released a patch to eliminate this vulnerability

viewtopic.php?f=7&t=1960#p16216

Very fast patch release! But I am afraid it didn't fully patch the vulnerability.

I used some test commands from:
https://shellshocker.net/

e.g.:
env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo; rm ./echo

Reference to the vulnerability:
http://web.nvd.nist.gov/view/vuln/detai ... -2014-7169

[Jocko]

Hi favroom,

Indeed, our released patch doesn't fix fully the known bash vulnerabilities. To do it, we must change the bash version and not use some patches for version 4.3.x. So need some more times and tests.

The other unfixed vulnerabilities can be used only with openSSH and apache server if we use the cgi modules. The related exploits can be mainly a DDoS (not a critical issue). As openSSH is not present in the firmware, these vulnerabilities may be used only with the web server.
The firmware web-interface doesn't use the cgi modules (then not issue on this side) but I am pretty sure that some media servers or others (eg btsync) may use them.

So if you fear such attacks that are present for a long time (~ 20 years) and never used until now, you should not use the proxy patch to redirect these servers on the apache server.