NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
BASH exploit - Shellshock
Hi
I have a ReadyNas Ultra 2 and it has version 3.1.17 of BASH installed which has a High risk vulnerability.
Can somebody please explain how to patch BASH so that my system is not at risk from this vulnerability. I have tried downloading the source, the patch and patching but 1 file did not patch successfully. If anyone can post some step by step instructions it would be really appreciated (as I am not an expert).
Many thanks
K
I have a ReadyNas Ultra 2 and it has version 3.1.17 of BASH installed which has a High risk vulnerability.
Can somebody please explain how to patch BASH so that my system is not at risk from this vulnerability. I have tried downloading the source, the patch and patching but 1 file did not patch successfully. If anyone can post some step by step instructions it would be really appreciated (as I am not an expert).
Many thanks
K
76 Replies
Replies have been turned off for this discussion
- What version of RAIDiator are you running?
We do backport some patches so it may already have been patched. - Hi
I'm not at my NAS right now.....but the exploit was only published yesterday and I checked using sample code to see if my version of Bash is 'processing trailing parameter' (the vuln). My Bash is - all versions up until yesterday are.
Is there a 'Manual' way to patch BASH until a firmware upgrade can be applied - Ah, didn't realise it was a new exploit.
- I am also concerned about this, have checked all my devices and only found the ReadyNAS that seems to be at risk so far. :(
- I have messaged engineering about this. Let's wait and hear what they have to say.
In the meantime you may wish to disable port forwards (if you have some setup) if you are very concerned about this.
Also a good reminder to make sure you have an up to date backup. - doing this on a RN516
apt-get update
apt-get install bash
works fine on my RN516 :)
and the bash was upgraded to last bash version with patch - That also seemed to work on my RN102 running 6.1.9.
"bash -version" didn't reflect any change though, it was 4.2.37(1) before and after the update, is that correct?
I checked the vulnerability using ...
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
... Which said 'busted' before the update but returns an error afterwards. - Debian tend to backport changes, so the version number is not a real indicator. You may have better luck by checking the package version you have(instead of the bash version). Check again in a few days to be sure there is no other update too.
- Will there be an update for the ReadyNAS Duo? I'm running the most recent release (4.1.13 from Oct 25, 2013) and its version of bash is 2.05b.0(1) which is vulnerable to this issue.
Jack. mdgm wrote: I have messaged engineering about this. Let's wait and hear what they have to say.
In the meantime you may wish to disable port forwards (if you have some setup) if you are very concerned about this.
Also a good reminder to make sure you have an up to date backup.
I've had a look myself, and can confirm the vulnerable bash version, however, I haven't found a way to remotely trigger this.
I.e. you need to have SSH access to the box as far as I can see for now.
I'll await the answer from the devs, to see if they have any more information on this.
If you want to be extra safe/paranoid, indeed disable port forwards to your ReadyNAS.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
