Author Topic: Shell Shock (Read 8848 times)

jake · « **on:** September 25, 2014, 09:46:22 am »

Is there any concern about the new "Shell Shock" bash vulnerability with the Almond+? Is there any immediate action that should be taken to insure that things are secure?

LGNilsson · « **Reply #1 on:** September 25, 2014, 10:04:45 am »

None, we use BusyBox which isn't affected by the issue.

jake · « **Reply #2 on:** September 25, 2014, 10:42:34 am »

Great. I was a little scared when I logged into the ssh and ran the tests, and they seemed to indicate that the vulnerability was present:

Code: [Select]

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

LGNilsson · « **Reply #3 on:** September 25, 2014, 10:52:31 am »

Odd, from what I read, BusyBox is unaffected and we're running the latest build in R066.
I'll have the software team look into it anyhow, just in case, but I'm actually surprised that it's even part of the firmware.

LGNilsson · « **Reply #4 on:** September 25, 2014, 11:02:57 am »

Ok, so we're apparently running a single script using bash, but we'll get this addressed in the next firmware release.
The chance of someone being able to do anything malicious with it is fairly minimal at this point though.
We're not using bash for anything else.

lowdrag · « **Reply #5 on:** September 25, 2014, 09:30:46 pm »

Can we get some real security here by allowing us to use all forms of SSL in the next release?

Please this is a very important factor to security in this age.

And these verification codes are getting annoying. How about another way to use the forums?

LGNilsson · « **Reply #6 on:** September 25, 2014, 11:04:04 pm »

I'm sorry, but I'm not following your reasoning here, what does SSL have to do with this issue?
It's not as if SSL was that safe anyhow, considering the heartbleed bug. R066 was updated to Open SSL 1.0.1i.

Please keep in mind that the Almond+ is a consumer product, not a corporate security appliance.

As for the verification code, it's to prevent spammers from posting on the forums, but I've changed your account status to Backer now, so you won't have any more issues with your posts.

LGNilsson · « **Reply #7 on:** September 26, 2014, 01:26:50 am »

Right, so it turns out it's actually not being used and we'll be removing bash in the next firmware update.
We're using ash instead, which is part of BusyBox and it's unaffected by this issue.

v8media · « **Reply #8 on:** September 26, 2014, 07:40:33 pm »

Curious if there are any issues with the Almond+ router with the recent bash vulnerabilities? Is this something that will need to be patched?

vansens · « **Reply #9 on:** September 26, 2014, 08:47:31 pm »

http://forum.securifi.com/index.php/topic,1943.0.html

LGNilsson · « **Reply #10 on:** September 26, 2014, 11:58:00 pm »

Topics merged.

Author Topic: Shell Shock (Read 8848 times)

jake

Shell Shock

LGNilsson

Re: Shell Shock

jake

Re: Shell Shock

LGNilsson

Re: Shell Shock

LGNilsson

Re: Shell Shock

lowdrag

Re: Shell Shock

LGNilsson

Re: Shell Shock

LGNilsson

Re: Shell Shock

v8media

bash?

vansens

Re: bash?

LGNilsson

Re: Shell Shock