dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
5852

Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

1 recommendation

Selenia to planet

Premium Member

to planet

Re: "Bash" Software Bug May Pose Bigger Threat Than "Heartbleed"

I believe you are safe. Those routers use the sh shell and DD-WRT was engineered from the stock firmware originally, even though it is way more advanced now. It still only uses sh unless you install bash either via optware or ipkg.

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

camper to planet

Premium Member

to planet
 
From this distance, you look to be OK.

Your private IPs are being assigned by the DHCP server on your router, and that is unlikely to go rogue.

planet
join:2001-11-05
Oz

planet to Selenia

Member

to Selenia
said by Selenia:

I believe you are safe. Those routers use the sh shell and DD-WRT was engineered from the stock firmware originally, even though it is way more advanced now. It still only uses sh unless you install bash either via optware or ipkg.

Thanks for that info. Feeling safer
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned) to BlitzenZeus

Member

to BlitzenZeus
Yep it happens. Makes one wonder just how much more like this is still out there.
Nanaki

Nanaki (banned) to Exodus

Member

to Exodus
Id say android is for sure. Though i bet some of the rom makers out there are already patching it up.
Nanaki

Nanaki (banned) to daveinpoway

Member

to daveinpoway
Just what is it in linux that makes it any more secure than say windows?

It is not it's open source nature and the millions of eyes on the code. A 20 year old bug still exists shows that to be wrong. So what makes it more or less secure than any other os?
Nanaki

Nanaki (banned) to NOYB

Member

to NOYB
Becoming ? They have always been the evil empire. They just want every one to think it was MS. Any company that would file law suits against the people who supply them with tech that their phone relies on like apple has done is evil and stupid.

Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

Selenia to Nanaki

Premium Member

to Nanaki
Only some custom ROMs, rooted phones where bash was installed, or phones with a chrooted Linux install over the top. Android does not have bash installed by default.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

Yeh. My kindle is rooted romed and customized in so many ways lol. Im tempted to take the plunge and make a custom shell for it. No reason not to with me wanting to make a tablet from scratch that is made to be rugged and repairable. so may take the plunge and go for it.

Now as per rooted phones. There are exploits that allow a phone to be rooted remotely or mostly by remote like towel root and how you could 1 click root any phone before june 2013.

So i could see this being a threat
Use exploit to root
Use root to install vulnerable bash
use that to do what ever the hell you want.
Now graned with root you could do mostly any thing you wanted any how. But if the phone was later secured the vulnerable bash install might let a attacker regain control .

Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

Selenia

Premium Member

Still no exploit to do it remotely. In fact, towel root is not even a browser exploit. It uses info from the device to pass an apk to root it from what I read about it. The apk still needs to be explicitly installed. Every Android process essentially runs on top of the Android Java based VM as a different user, which essentially sandboxes them on the Linux side. The API on top is what gives permissions to apps and facilitates any communication, which has not much in common with standard Linux permissions enforcement. The only exception to this is root apps which require root in the first place. I can see this done via social engineering or a tainted pirated app, but not remotely. Unless one finds a major kernel exploit to allow the install. It would have to be one hell of a gaping exploit and have yet to see one like that. If one found one like that, why bother with bash as you can do more major damage with more minor holes without it? Come to think, even if you installed an apk by hacking a google account for the victim, you would still need to run that apk with root present to install it to the system as the standard install process would not change anything in /system
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

Well we do know that these last couple flaws were around for a long time (20 years i think some one posted for this one) that's a damn long time for any thing to go unseen so we know it can happen. As complex as any os is the chances of there being a gaping hole is likely and not just possible. I would say chances are pretty damn good there is one almost to the point of it being certain. Now the real question is this.

Has any one found it and not reported it and are just sitting on it for a rainy day?
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus

Premium Member

Well Apple ignored Charlie Miller, and they were going to do nothing about it so he wrote a proof of concept instead of letting them bury it under nda. They had programs interacting with an elevated api, and his program exploited that elevated api which gave root to the iphone. The app passed the store, and when loaded on a phone was allowed to download further executable code that wasn't scrutinized that would exploit this api. At least Jobs was smart enough to embrace those like Miller since they were getting pwned in seconds at hacking competitions, proving security through obscurity is no security at all, but after Jobs was no longer in charge they stopped listening to Miller again. Back to burying their heads in the sand, and treating security like a public relations issue.

It's too easy to hide an exploit in closed source under nda, and as long as it's not exploited in the wild they might never bother fixing it. Sometimes these issues have been at the core of their programs, and that means the program couldn't just be patched.

I had a big problem with a software firewall company years ago, they were making quite a bloated pos, and I proved that their software didn't log all of the packets that it allowed and blocked even at the tcp/udp/icmp level, quite a necessary fundamental. They knew of the problems, and released it for sale. It wasn't until another major version far later, like a year later they started fixing the beta problems. They wanted to push it out for sales, but in the end they didn't last as it was out they pushed beta quality software as final just to have money coming in.

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to Link Logger

Premium Member

to Link Logger
Coincidentally, there was a PIN issued a couple of days ago for potential hactivist activity from ISIL/ISIS/IS against public and private sector infrastructure.

This could be interesting ---

Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

Selenia to BlitzenZeus

Premium Member

to BlitzenZeus
Sounds like you refer to ZoneAlarm.

sbconslt
join:2009-07-28
Los Angeles, CA

sbconslt to Link Logger

Member

to Link Logger
Seeing a lot of chatter that most embedded linux devices (routers, tvs, etc) are not vulnerable because they package the busybox implementation of the shell for size efficiency rather than full fledged bash.

Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

Selenia

Premium Member

That is true though many mods can provide bash, which can spell trouble in this case. I just had to patch 2 Androids and 3 embedded bash installs. 1 on a custom ROMed phone and 2 on a rooted Nexus chrooted with Debian(so had to do it on the Android and Debian side). Many custom firmwares for routers also have bash available.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus to Selenia

Premium Member

to Selenia
It was kerio 4.x, but I was just giving an example of a company rushing out software for profit while ignoring obvious problems hoping people wouldn't notice. I've been using firewalls since before ZA was in development, and when software usually didn't give you a clear list or range of ports they use reading the logs was the best way to figure it out, which is why it bothered me so much.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

2 edits

NetFixer to MaynardKrebs

Premium Member

to MaynardKrebs
said by MaynardKrebs:

My Centos server is patched.
I've been seeing stuff like this in the block logs since Sept 24th:

[apache server log excerpts]

My somewhat aged OpenSUSE server was not patched as quickly as some other distributions, but it was patched (and I probably have myself to blame for any delay, since I don't use automatic updating -- I prefer to manually allow those updates that I deem necessary).

I have been seeing shellshock probes in my apache logs for the past few days too -- mostly seemingly benign passive scans, and a few obvious attempts to compromise the server. But even before bash got patched, none of the attempts (even the ones that appeared to be actual attacks instead of passive probes) were able to accomplish anything. That was because it is a relatively secured and somewhat stripped down server with only the minimal functionality needed to support apache, pure-ftpd, and postfix/qpopper -- none of the "standard" *nix commands (about the only exception was the "ping scans") that were tried by the active shellshock probes were actually able to do anything; either because the commands simply were not available, or because the apache daemon privileges did not permit them to execute. And needless to say, my perimeter firewall does not allow any outside access to a shell environment. This leads me to think that while there may be (or may have been) a very large number of *nix hosts with the bash vulnerability, it is possible that any reasonably secured apache installation might hamper what is probably the most likely external attack vector, despite the underlying bash vulnerability.

What surprised me somewhat besides my aged OpenSUSE implementation being patched, was that the Comcast hosting service (actually siteprotect.com) that I use for the port scanning function in my »portscan.dcsenterprises.net site was also apparently patched quite early (or perhaps it was never vulnerable). I did not expect that at all -- kudos to the Comcast (and/or the SiteProtect) security folks for that.

EDIT: I was able to verify that the bash shell executable was replaced on Sept. 25, 2014 -- so that would indicate that they fixed the vulnerability at that time.

dfrandin
Premium Member
join:2002-06-14
Las Vegas, NV

dfrandin to Link Logger

Premium Member

to Link Logger
Am on Ubuntu 14.04, which has bash 4.3.11(1)-release, and I don't get the "vulnerable" text, just the final "this is a test"... Would I be correct in assuming that since I don't see
the "vulnerable" text, that this version is fixed? I did notice a security update earlier today
that updated bash... Just curious...
dfrandin

dfrandin to sbconslt

Premium Member

to sbconslt
I'm glad I'm running Tomato on my Linksys router rather than the stock Linksys f/w.. I expect Tomato to have a patch for this toot-sweet...
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned) to dfrandin

Member

to dfrandin
i tried it on my romed kindle fire and got no output not sure where the typo was. not to worried bout it any how. If something happens ill reflash the rom and be done with it. I don't download directly to it and don't surf with it much. A little here at dslreports is about it. And not sure how in the wild this is any ways.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 edit

1 recommendation

NetFixer to dfrandin

Premium Member

to dfrandin
said by dfrandin:

I'm glad I'm running Tomato on my Linksys router rather than the stock Linksys f/w.. I expect Tomato to have a patch for this toot-sweet...

Are you sure that your Linksys router doesn't use BusyBox instead of bash in its factory firmware? I am pretty sure that the shell in my (now retired since it did not support IPv6) Linksys Business Class RV082 router was BusyBox. I am also pretty sure that the default shell for many (if not most) Tomato distributions is also BusyBox (although I think that bash can be optionally used for routers with enough flash memory).
Riamen
Premium Member
join:2002-11-04
Calgary

1 edit

1 recommendation

Riamen to Link Logger

Premium Member

to Link Logger
Apple has released a patch for bash on Mavericks, OS X 10.9.5.

»support.apple.com/kb/DL1 ··· le=en_US

Edit: And Lion and Mountain Lion, OS X 10.7 & 10.8

»support.apple.com/kb/DL1767
»support.apple.com/kb/DL1768

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude

Premium Member

said by Riamen:

Apple has released a patch for bash on Mavericks, OS X 10.9.5.

»support.apple.com/kb/DL1 ··· le=en_US

Edit: And Lion and Mountain Lion, OS X 10.7 & 10.8

»support.apple.com/kb/DL1767
»support.apple.com/kb/DL1768

Note that it is not through Apple's updater.

Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

Selenia to Link Logger

Premium Member

to Link Logger
I went on the edge and updated to Debian Sid. The bash there is patched, as well.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to antdude

Premium Member

to antdude
said by antdude:

said by Riamen:

Apple has released a patch for bash on Mavericks, OS X 10.9.5.

»support.apple.com/kb/DL1 ··· le=en_US

Edit: And Lion and Mountain Lion, OS X 10.7 & 10.8

»support.apple.com/kb/DL1767
»support.apple.com/kb/DL1768

Note that it is not through Apple's updater.

Also note that it is 4-5 days later than almost every other vendor's patch release dates (regardless of how the patch is delivered). Apple seems determined to become the 21st Century version of 20th Century Microsoft on matters of security.
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer

Premium Member

said by NetFixer:

Also note that it is 4-5 days later than almost every other vendor's patch release dates (regardless of how the patch is delivered).

Not so sure that is even possible, since five days ago was when the first CVE was publicly published and there was no available fix immediately. Since then five more CVEs have been published and some of those fixes were not available before friday.

Note that there are many incomplete fixes out there. Note also that most vendors are leveraging the upstream bash open source and were dependent up on those fixes being released. The most complete fixes were approved and released by the upstream on Friday. While releases today were not "fast", they really aren't terribly slow.

If anything, criticism should really go to the upstream open source maintainers that had private notice and details over a week before they became public and still did not have fixes available when they were disclosed last wednesday. However I would not be so critical since properly addressing security issues is not easy.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

Apple's patch release date appears to be Sept, 29.

My first patch from SuSE was dated Sept, 24, and the latest was dated Sept, 27, so that is only a two day difference (assuming that the Apple patches are at the same level).

The patch to the Comcast web hosting server that I use was dated Sept, 25, and it seems to be the same level as the SuSE patch dated Sept, 27.

So if the Apple patches are at the latest level, and are not just delayed releases of earlier patches (I don't currently have an Apple box to test the patch level on), I will agree to give them a bit of slack; but it does appear that you may have to go looking for them rather than getting them through a semi-automatic security update process, and that is not appropriate in my opinion for a company of Apple's capabilities.
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer

Premium Member

said by NetFixer:

The patch to the Comcast web hosting server that I use was dated Sept, 25, and it seems to be the same level as the SuSE patch dated Sept, 27.

Anything patched on the 25th (or 24th) is either not completely patched, or had directly obtained and locally applied the fixes from Florian Weimer (Red Hat). Florian's fixes are the only ones not vulnerable to even the latest CVEs published today (one of which is considered worse than the original), and the upstream did not accept Florian's fixes until Friday.

I will agree to give them a bit of slack; but it does appear that you may have to go looking for them rather than getting them through a semi-automatic security update process, and that is not appropriate in my opinion for a company of Apple's capabilities.

Yes I agree these should be available via the automated updater (they still do not appear to be, at least not for 10.9.5). That omission does not seem all too responsible

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

said by Shady Bimmer:

Anything patched on the 25th (or 24th) is either not completely patched, or had directly obtained and locally applied the fixes from Florian Weimer (Red Hat). Florian's fixes are the only ones not vulnerable to even the latest CVEs published today (one of which is considered worse than the original), and the upstream did not accept Florian's fixes until Friday.

I would not be surprised if Comcast did get their Sept 25th dated patch directly from the source for their business class web hosting service. Comcast does some things that I don't like, but for the past several years they seem to have taken security quite seriously.