Reply
Follower

Shellshock exploit affecting Netgear routers?

This article mentions routers as sometimes having bash and therefore being vulnerable to the new "shellshock" exploit: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ (which is as big a deal as Heartbleed).

Do Netgear routers have bash? Are they vulnerable? If so, I imagine a firmware update would be necessary.

I am using a RangeMax N150 Wireless Router (WPN824N).
Message 1 of 20
Mentor

Re: Shellshock exploit affecting Netgear routers?

What is BASH, what does it do and when is it used? When you have found the answer to those questions - here's one more - WHY would a consumer router (any brand) with only a web interface be running BASH (or any other) shell? I also want to ask - just how big a deal was heartbleed? It got a lot of negative publicity - we were told all about data being leaked, but - in reality, how many vulnerable websites were actually compromised because of it? Perhaps you should research heartbleed also, and the mechanism through which the data could be accessed - it might just be an eye opener.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 2 of 20
Aspirant

Re: Shellshock exploit affecting Netgear routers?

I am pretty familiar with bash and also would like to know if Netgear routers are vulnerable.

http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
Aside from Web servers, other vulnerable devices include Linux-based routers that have a Web interface that uses CGI. In the same manner as an attack against a Web server, it may be possible to use CGI to exploit the vulnerability and send a malicious command to the router.


fordem - Instead of giving a snarky/sarcastic/superior response, why not just answer the question?
Message 3 of 20

Re: Shellshock exploit affecting Netgear routers?

I believe he's telling you that the press it's garnering is worse than the issue itself, (much like heartbleed) and that he'd recommend reading up on the actual issue, instead of listening to what the press is claiming.

FUD is what seems to drive the press nowadays.... and they often paint a picture in a more negative light than it needs to be.
~ Shadowlore
Message 4 of 20
Aspirant

Re: Shellshock exploit affecting Netgear routers?

I am using the same model to segment a group of machines in a corporate environment. I have IT security asking about potentially affected equipment in the work area that I oversee. I can identify that this model uses CGI pages in its web interface (which may still respond to unauthenticated calls). So, the question is still relevant: "Is BASH present on Netgear routers?" It's very common to find it in the limited embedded-linux found in NAS subsystems, so it is reasonable to expect to find it in low-cost embedded linux packages of routers.

No, I don't anticipate someone on the inside of an authenticated network finding my little router and making requests specifically intended to call BASH in strange ways. But, if the vulnerability to run potentially anything that's accessible to BASH exists, I want to know if I should be watching for a patch or for suspicious activity. And I need to be considerate of the potential security implications of such a vulnerability being present.
Message 5 of 20
Aspirant

Re: Shellshock exploit affecting Netgear routers?

Shadowlore wrote:
I believe he's telling you that the press it's garnering is worse than the issue itself, (much like heartbleed) and that he'd recommend reading up on the actual issue, instead of listening to what the press is claiming.


Be that as it may. Not everyone who owns a router has the technically savvy to understand software vulnerabilities, bash limitations/capabilities, router configurations (e.g. is NetGear XXXXX linux based and provide web interface that uses CGI), etc, etc.

An official word from NetGear on the subject would be nice. Lacking that, I see nothing wrong with coming here to ask a simple, "Am I vulnerable?"
Message 6 of 20
Apprentice

Re: Shellshock exploit affecting Netgear routers?

The bash shell will not be present in any router (netgear or otherwise) , they all will use busybox's built in ash shell.
Message 7 of 20
Aspirant
Aspirant

Re: Shellshock exploit affecting Netgear routers?

Of course there is a danger that the ASH shell has the same vulnerability?
Siv
Message 8 of 20
Mentor

Re: Shellshock exploit affecting Netgear routers?

richud wrote:
The bash shell will not be present in any router (netgear or otherwise) , they all will use busybox's built in ash shell.


This has been my experience - embedded Linux systems are more likely to use busybox - it provides a great deal of functionality whilst using less memory.

Siv wrote:
Of course there is a danger that the ASH shell has the same vulnerability?
Siv


Ahhh - yes - and maybe we should all stay off the subway because of the ISIL threat.

There are risks involved in everything we do (and that includes breathing the air indoors), the important thing is to be aware of what those risks are and how real or imminent the danger is.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 9 of 20
Aspirant

Re: Shellshock exploit affecting Netgear routers?

Siv wrote:
Of course there is a danger that the ASH shell has the same vulnerability?
Siv

Question was about routers, so quick answer is NO.

Long answer would be NO, "I have read a bit about" the problem (or feature) that is exploited is implemented (only) in bash shell. Sadly I only have bash shells at hand, so it's hard to do anything more than trust the experts. (You should try to find old, grumpy and level-headed IT admins and listen them, they would say this is no special day everything is broken every day. Smiley Wink )

And for the ASH you need to wait for a while until someone finds something nasty from it's source code. And it's probably not in use on the routers anyway.

But that said, nothing hasn't changed in my weekly routines anyway, backup backup backup and update update update. (just a afterthought: When have we last tried to restore your backups?)
Message 10 of 20
Mentor

Re: Shellshock exploit affecting Netgear routers?

amarkula wrote:
You should try to find old, grumpy and level-headed IT admins and listen them, they would say this is no special day everything is broken every day. Smiley Wink


Grumpy old admins get very little respect from the young "know-it-all" hotshots.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 11 of 20
Aspirant

Re: Shellshock exploit affecting Netgear routers?

Listen up! There is one simple conclusion from NETGEAR's silence--you must assume that your equipment IS vulnerable.

Think for a minute... There are only two possible responses that NETGEAR can give: (1) "our routers are not vulnerable", or " yes they are, and here's a fix". If the first were true, they would have already said it. Therefore the second is true, but they don't have the patches ready yet.

(Of course, I have discounted the possibility that they are ignorant of the issue. If that's the case, we should all decommission our NETGEAR hardware post-haste!)
Message 12 of 20
Mentor

Re: Shellshock exploit affecting Netgear routers?

http://forum1.netgear.com/showpost.php?p=483202&postcount=6

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 13 of 20
Aspirant

Re: Shellshock exploit affecting Netgear routers?

fordem wrote:
http://forum1.netgear.com/showpost.php?p=483202&postcount=6


I interpret this as YES, IT IS VULNERABLE altought only in specific cases
Message 14 of 20
Aspirant

Re: Shellshock exploit affecting Netgear routers?

ReadyNAS 516

root@blah:~# echo $SHELL
/bin/bash
root@blah:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

...
Message 15 of 20
NETGEAR Employee Retired

Re: Shellshock exploit affecting Netgear routers?

Alisdair, If someone already has root access to your NAS, then they can do what they like. ShellShock is irrelevant then. In ReadyNAS OS 6.x, the default shell is DASH, not BASH. DASH is the shell that would get executed from CGIs. BASH will be updated in a future release per standard practice.
Message 16 of 20
Novice

Re: Shellshock exploit affecting Netgear routers?

This is only a quick test that confirms bash is installed and is vulnerable. Now they need to test other services that 'might' call bash for unauthenticated users ie. cgi used in apache ! If services call bash without the need for authentication then the device is easily exploitable ... if authentication is required the device is still vulnerable but to a lesser degree - ie. if using default username/password, 'trusted' users may be able to exploit it .....
Message 17 of 20
Aspirant

Re: Shellshock exploit affecting Netgear routers?

Netgear should tell the users if it uses busybox for the router and NAS.

I'm more interested in the routers.

Verify if you default shell for the root user is bash with the command below:
grep root /etc/passwd
Message 18 of 20
Aspirant

Re: Shellshock exploit affecting Netgear routers?

To confirm mdgm's ReadyNAS OS 6.x .....

Found a Netgear article

Is my NETGEAR product affected by the 'shellshock' bug (CVE-2014-6271 / CVE-2014-7169)?
http://kb.netgear.com/app/answers/detail/a_id/25703

NETGEAR Access Point, Wireless Controllers, Smart Switches, Managed Switches and majority of ProSAFE Firewall do not use BASH shell that is vulnerable to this "shellshock" bug.
NETGEAR cloud services are not exposed to this bug.

NETGEAR ReadyNAS (OS versions 4.1.x, 4.2.x, 5.x, 6.x), ReadyDATA (OS version 1.0), FVS318N and ProSECURE UTM firewall do contain the BASH shell that is affected
NETGEAR is taking steps to prevent compromise by the "shellshock" bug.

As best practice, it is recommended not to create static port forwards on your internet gateway device to your ReadyNAS / ReadyDATA. This will limit your exposure to any threats or vulnerabilities.

Current status (as of Oct 1/14)

Product Status Notes (article has this in table format)
ReadyDATA Update not required All ReadyDATA attack vectors require authentication. The only CGIs used in ReadyDATA never directly execute any commands;
ReadyNAS OS 6.x Running BASH shell but not exposed In ReadyNAS OS 6.x, the default shell is DASH, not BASH. DASH is the shell that would get executed from CGIs.
BASH will be updated in a future release per standard practice
.

ReadyNAS OS 4.2.x 4.2.27-T5 available Developers have released patched build 4.2.27-T5 and can be downloaded here
ReadyNAS OS 4.1.x 4.1.14-T6 available Developers have released patched builds 4.1.14-T6 and can be downloaded here
ReadyNAS OS 5.x 5.3.11-T4 available Developers have released patched builds 5.3.11-T4 and can be downloaded here
ProSECURE UTM firewall Internal release available. Please contact support to get the release. If you are concerned about this bug you should disable the remote access functionality
ProSAFE FVS318N Update in progress If you are concerned about this bug you should disable the remote access functionality.


Technical details of the shellshock bug:

CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

CVE-2014-7169

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.


=======

Do see any news about Netgear's other devices affected yet!
Message 19 of 20
NETGEAR Employee Retired

Re: Shellshock exploit affecting Netgear routers?

NETGEAR public message

A new software bug called “Shellshock” has been found in the Bash command shell which is present in most Linux and UNIX systems and Apple’s Mac OS X. This vulnerability allows attackers to remotely execute malicious code on a huge number of servers across the globe. NETGEAR is pleased to report that none of our routers, switches, business wireless products, AirCard or ReadyDATA products were affected by the Shellshock bug. All NETGEAR and AirCard servers have been patched.

The following products were vulnerable and will have patches available:
FVS318N – patch available by end of October
ProSECURE UTM products – patch available week of 10/6.
ReadyNAS – patch available mid-October at support.netgear.com


NETGEAR advises all customers with products affected to update their products by downloading the new firmware (at support.netgear.com) with the patch as soon as it is available.

For more information see the NETGEAR knowledgebase article posted online at http://kb.netgear.com/app/answers/detail/a_id/25703
Message 20 of 20
Top Contributors
Discussion stats
Announcements