Shellshock patch
Posted:
Sat Sep 27, 2014 6:25 amby favroom
I tested for the shellshock vulnerability using this script in a shell:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Our bash version is vulnerable!
I deleted all port forwarding rules to my nas...
Is this the right place to post Security related matters?
Ferdinand
Re: Shellshock patch
Posted:
Sat Sep 27, 2014 10:46 amby fvdw
thanks for reporting this , we will fix it
What version of fvdw-sl are you running ?
Re: Shellshock patch
Posted:
Sat Sep 27, 2014 12:52 pmby fvdw
Hi Ferdinand and other , we have released a patch to eliminate this vulnerability
viewtopic.php?f=7&t=1960#p16216
Re: Shellshock patch
Posted:
Wed Oct 08, 2014 7:21 pmby favroom
Very fast patch release! But I am afraid it didn't fully patch the vulnerability.
I used some test commands from:
https://shellshocker.net/e.g.:
env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo; rm ./echo
Reference to the vulnerability:
http://web.nvd.nist.gov/view/vuln/detai ... -2014-7169
Re: Shellshock patch
Posted:
Thu Oct 09, 2014 8:54 amby Jocko
Hi favroom,
Indeed, our released patch doesn't fix fully the known bash vulnerabilities. To do it, we must change the bash version and not use some patches for version 4.3.x. So need some more times and tests.
The other unfixed vulnerabilities can be used only with openSSH and apache server if we use the cgi modules. The related exploits can be mainly a DDoS (not a critical issue). As openSSH is not present in the firmware, these vulnerabilities may be used only with the web server.
The firmware web-interface doesn't use the cgi modules (then not issue on this side) but I am pretty sure that some media servers or others (eg btsync) may use them.
So if you fear such attacks that are present for a long time (~ 20 years) and never used until now, you should not use the proxy patch to redirect these servers on the apache server.