HiI have a ReadyNas Ultra 2 and it has version 3.1.17 of BASH installed which has a High risk vulnerability. Can somebody please explain how to patch BASH so that my system is not at risk from this vulnerability. I have tried downloading the source, the patch and patching but 1 file did not patch successfully. If anyone can post some step by step instructions it would be really appreciated (as I am not an expert).Many thanksK

What version of RAIDiator are you running?We do backport some patches so it may already have been patched.

HiI'm not at my NAS right now.....but the exploit was only published yesterday and I checked using sample code to see if my version of Bash is 'processing trailing parameter' (the vuln). My Bash is - all versions up until yesterday are.Is there a 'Manual' way to patch BASH until a firmware upgrade can be applied

Ah, didn't realise it was a new exploit.

I am also concerned about this, have checked all my devices and only found the ReadyNAS that seems to be at risk so far. :(

I have messaged engineering about this. Let's wait and hear what they have to say.In the meantime you may wish to disable port forwards (if you have some setup) if you are very concerned about this.Also a good reminder to make sure you have an up to date backup.

BASH exploit - Shellshock | NETGEAR Communities

76 Replies

Replies have been turned off for this discussion

mdgm-ntgr
NETGEAR Employee Retired
Sep 26, 2014
Skywalker already mentioned some beta builds that have patches for the exploit. Couldn't you just update to the beta?

Or get apt to look at the 4.2.27 repository and try to install the necessary packages from there.
btaroli
Prodigy
Sep 26, 2014
Ah, OK... I see that here: viewtopic.php?f=51&t=70385

In general, though, it's when patches are delivered as patches and don't require taking a beta OS release to accomplish. :) In my case I'm comfortable with that... but not everyone would be.
mdgm-ntgr
NETGEAR Employee Retired
Sep 26, 2014
Well if you edited the sources list to use 4.2.27 repository then you probably could install the bash update using apt-get whilst remaining on 4.2.26.
btaroli
Prodigy
Sep 26, 2014
Mmm... good point.. and then change it back after to avoid other potential interactions?
mdgm-ntgr
NETGEAR Employee Retired
Sep 26, 2014
Yes.

Or don't touch the sources list, find the package in the repository, download it and install it via dpkg.

This of course assumes that there aren't other packages that need to be upgraded too.
sorenfriis
Aspirant
Sep 26, 2014
I can confirm that changing the /etc/apt/sources.list to the 4.2.27 repository works for my Ultra4.

Here is a quite terrifying example of why we need to take this very seriously:
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
jdgs
Aspirant
Sep 26, 2014
I have just managed to resolve this on my ReadyNAS 2100.

Updating apt-get and installing bash didn't help for me in the first instance as apt-get was looking at the 4.2.26 repo. Changed it to 4.2.27 temporarily by editing etc/apt/sources.list and was able to update bash ok.
skilke
Aspirant
Sep 26, 2014
Thanks for the firmware update.
gareth_iowc
Aspirant
Sep 26, 2014
Ready nas 104 is affected
firmware 6.1.9
super_poussin
Virtuoso
Sep 26, 2014
apt-get update
apt-get install bash

Envoyé de mon iPhone en utilisant Tapatalk

Forum Discussion

BASH exploit - Shellshock

76 Replies

Related Content

PDF Exploit

R7000 buffer overflow exploit patch

Netgear Router Exploit - 10/8/2015

Is ReadyNAS NVX RNDX4000 vulnerable to ShellShock exploit?

bash upgrade

NETGEAR Academy

ProSupport for Business