NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
BASH exploit - Shellshock
Hi
I have a ReadyNas Ultra 2 and it has version 3.1.17 of BASH installed which has a High risk vulnerability.
Can somebody please explain how to patch BASH so that my system is not at risk from this vulnerability. I have tried downloading the source, the patch and patching but 1 file did not patch successfully. If anyone can post some step by step instructions it would be really appreciated (as I am not an expert).
Many thanks
K
I have a ReadyNas Ultra 2 and it has version 3.1.17 of BASH installed which has a High risk vulnerability.
Can somebody please explain how to patch BASH so that my system is not at risk from this vulnerability. I have tried downloading the source, the patch and patching but 1 file did not patch successfully. If anyone can post some step by step instructions it would be really appreciated (as I am not an expert).
Many thanks
K
76 Replies
Replies have been turned off for this discussion
- I've patched my NV+ v1 (sparc) using the local install of the 4.1.14-T5 firmware image but this only includes the fixes for the earliest bugs discovered in bash ... there are now 27 patches rather than 25 patches to bash v4.3 since this thread began as these last 2 patches address things that were only identified and rectified over Friday and the weekend.
The test code to confirm the CVE-2014-7169 patch is: cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
(per the zdnet article by sjvn: http://www.zdnet.com/shellshock-better- ... 7000034115)
I also updated my 3200 using the change /etc/apt/sources.list to .27 + apt-get update + apt-get install bash and this seems to have included 1 or more of the additional patches as the above test does not show the date so is at least patched for 7169 if not necessarily for 7186 & 7187 overflow and off-by-one bugs - There are more beta firmwares with patches. There were even more CVE's for bash today, from more holes found while patching this one.
- 4.1.14-T6 was released today.
mdgm wrote: 4.1.14-T6 was released today.
Just installed T6 without a hitch.
It does fix the first string of vulenrabilities. It does not, however, address 2014-718x:
nmr-nas:~# dpkg -l bash
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-======================================-======================================-============================================================================================
ii bash 2.05b-26.netgear2 The GNU Bourne Again SHell
nmr-nas:~# /bin/bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_astack"
Segmentation fault
CVE-2014-7186 vulnerable, redir_astack
nmr-nas:~# (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | /bin/sh || echo "CVE-2014-7187 vulnerable, word_lineno"
/bin/sh: line 2: `x{1..200}': not a valid identifier
CVE-2014-7187 vulnerable, word_lineno
Patch for these: http://nmr.che.auckland.ac.nz/patches/CVE-2014-718x.dpatch- Even more patches with the same sort of vulnerability
for example the release from yesterday:
05-Oct-2014
Bash-Release: 4.3
Patch-ID: bash43-030
A combination of nested command substitutions and function importing from
the environment can cause bash to execute code appearing in the environment
variable value following the function definition.
Link http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ - Does this "bug" BASH exploit - Shellshock effects ReadyNAS DUO v1 sparc system?
h4te wrote: Does this "bug" BASH exploit - Shellshock effects ReadyNAS DUO v1 sparc system?
Yes. We have 4.1.14-T6 beta available for it: http://www.readynas.com/forum/viewtopic.php?f=17&t=59222- Thank you!
- Ive read the posts, and i wanted to know after i have done a apt-get update and an apt-get install bash on my Netgear ReadyNAS Duo V2 i get the following errors
Reading package lists... Done
W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.us.debian.org squeeze-updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AXXXXXX25553 (edited)
W: Failed to fetch http://ftp.us.debian.org/debian/dists/squeeze-updates/Release
W: Some index files failed to download, they have been ignored, or old ones used instead.
And so i type in apt-get install bash anyway and i get this
bash is already the newest version.
You might want to run 'apt-get -f install' to correct these:
The following packages have unmet dependencies:
libidn11-dev : Depends: pkg-config but it is not going to be installed
libncurses5-dev : Depends: libc-dev
libncursesw5-dev : Depends: libc-dev
tzdata-java : Depends: tzdata (= 2012g-0squeeze1) but 2012c-0squeeze1 is to be installed
E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).
but i am still vulnerable
root@XXXXXXXXXXXXXX:~# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test
root@XXXXXXXXXXXXXX:~#
root@XXXXXXXXXXXXXX~# bash -version
GNU bash, version 4.1.5(1)-release (arm-unknown-linux-gnueabi)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
could anyone lend a hand please?
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
