BASH exploit - Shellshock

Anyway, if your box is running ReadyNASOS 6.x, the default shell is dash, not bash. So dash is the shell that would get executed from CGIs, rather than bash.

What is the latest on this? Any official word?

I have 3 systems, an NV+, an ultra 6+, and a 316. All run the latest release software. As best I can tell, all three systems are therefore vulnerable.

I have SSH disabled on all 3 systems; it was previously enabled on the 4.x systems with the enablerootssh plugin, but I ran the togglessh plug in, which seems to have disabled remote shell access. (I assume it stops the sshd process) On the 314, I disabled ssh in frontview.

I will probably load the latest beta firmware releases on my NV+ and Ultra 6+; this apparently fixes the bug. Correct?

What about the 314? I don't wish to install the 6.2.0 firmware since it is a major but non-production release, and cannot be downgraded back to 6.1.9. Should I turn on ssh, and use app-get to update bash as others have suggested? Or, is bash not used on the 314, and thus there is no vulnerability.

Or is simply turning off shell access as I described above sufficient.

I do not have any port forwarding enabled on my router, which should be protection enough, but I'd rather have the extra layer of non-vulnerable NAS boxes.

The betas for the NV+ and Ultra 6+ address the vulnerability though the chances of the vulnerability being exploited are probably very low.

The 314 is not vulnerable to ShellShock.

6.2.0 should only be installed on non-production systems that are fully backed up. Anyway the current 6.2.0 public beta was built before ShellShock made the news.

I'm still running 4.2.25, bit of a chore to update since I'm running virtualbox. Tried updating just bash from 4.2.27 but I get dependency errors. Could i get the 4.2.27 sources posted so that I can update to 4.2.27 and rebuild vbox? The sources link on the beta note is a link to 4.2.23 sources.

steve

@GibsonLP - I understand the latest beta addresses the issue - it would be nice to have confirmation that the beta includes both of the patches to bash though.

Following your writeup, I have managed to cross-build patched bash-3.2 and bash-2.05b binaries - I'll still need to run the testsuites from the source distribution to feel confident enough to replace the old binary.

Yes it does have both patches. You can confirm this by examining the apt-get repository. It should show up in the GPL once there is a production 4.2.27 release.

schmitzm wrote:
@GibsonLP - I understand the latest beta addresses the issue - it would be nice to have confirmation that the beta includes both of the patches to bash though. Following your writeup, I have managed to cross-build patched bash-3.2 and bash-2.05b binaries - I'll still need to run the testsuites from the source distribution to feel confident enough to replace the old binary.

I'm definitely interested in the 2.05b binary for my NV+. If/when you're going to make that available, I'd love to get a copy. Thanks!

Hai, I am using a readynas duo in a lawyers firm, an apt-get install bash doesn't update bash , is this due to the fact the ls is sparc 4.1.13? What can I do about it?

You could try editing the sources list to use the 4.1.14 repository or simply just install the 4.1.14 beta firmware.

mdgm wrote:
You could try editing the sources list to use the 4.1.14 repository or simply just install the 4.1.14 beta firmware.

Changed sources.list to 4.1.14 , that did it!
Should i change back to 4.1.13 or just leave it to 4.1.14?