Securifi Community Forum

Securifi Products => Almond+ => Topic started by: jake on September 25, 2014, 09:46:22 am

Title: Shell Shock
Post by: jake on September 25, 2014, 09:46:22 am

Is there any concern about the new "Shell Shock" bash vulnerability with the Almond+?  Is there any immediate action that should be taken to insure that things are secure?

Title: Re: Shell Shock
Post by: LGNilsson on September 25, 2014, 10:04:45 am

None, we use BusyBox which isn't affected by the issue.

Title: Re: Shell Shock
Post by: jake on September 25, 2014, 10:42:34 am

Great.  I was a little scared when I logged into the ssh and ran the tests, and they seemed to indicate that the vulnerability was present:

Code: [Select]

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

Title: Re: Shell Shock
Post by: LGNilsson on September 25, 2014, 10:52:31 am

Odd, from what I read, BusyBox is unaffected and we're running the latest build in R066.
I'll have the software team look into it anyhow, just in case, but I'm actually surprised that it's even part of the firmware.

Title: Re: Shell Shock
Post by: LGNilsson on September 25, 2014, 11:02:57 am

Ok, so we're apparently running a  single script using bash, but we'll get this addressed in the next firmware release.
The chance of someone being able to do anything malicious with it is fairly minimal at this point though.
We're not using bash for anything else.

Title: Re: Shell Shock
Post by: lowdrag on September 25, 2014, 09:30:46 pm

Can we get some real security here by allowing us to use all forms of SSL in the next release?

Please this is a very important factor to security in this age.

And these verification codes are getting annoying. How about another way to use the forums?

Title: Re: Shell Shock
Post by: LGNilsson on September 25, 2014, 11:04:04 pm

I'm sorry, but I'm not following your reasoning here, what does SSL have to do with this issue?
It's not as if SSL was that safe anyhow, considering the heartbleed bug. R066 was updated to Open SSL 1.0.1i.

Please keep in mind that the Almond+ is a consumer product, not a corporate security appliance.

As for the verification code, it's to prevent spammers from posting on the forums, but I've changed your account status to Backer now, so you won't have any more issues with your posts.

Title: Re: Shell Shock
Post by: LGNilsson on September 26, 2014, 01:26:50 am

Right, so it turns out it's actually not being used and we'll be removing bash in the next firmware update.
We're using ash instead, which is part of BusyBox and it's unaffected by this issue.

Title: bash?
Post by: v8media on September 26, 2014, 07:40:33 pm

Curious if there are any issues with the Almond+ router with the recent bash vulnerabilities? Is this something that will need to be patched?

Title: Re: bash?
Post by: vansens on September 26, 2014, 08:47:31 pm

http://forum.securifi.com/index.php/topic,1943.0.html

Title: Re: Shell Shock
Post by: LGNilsson on September 26, 2014, 11:58:00 pm

Topics merged.