Shellshock BASH bug and RT-N66U

[RMerlin]

I've installed optware then bash on my ac68

when I substitute /opt/bin/bash into the proper place in the test command two lines are returned,
busted
stuff

or
vulnerable
this is a test

So, I guess I've got a problem?

Yes, the Optware (and Entware) versions of bash will need to be updated by the repository owners.

 

[xiphias]

I've installed optware then bash on my ac68

when I substitute /opt/bin/bash into the proper place in the test command two lines are returned,
busted
stuff

or
vulnerable
this is a test

So, I guess I've got a problem?

Run:

opkg update && opkg upgrade

 

[noric]

Run:

opkg update && opkg upgrade

Did they already fix the bug?

 

[xiphias]

Did they already fix the bug?

I could have sworn they had, but after looking again it looks like bash through opt/entware has not been patched. Sorry for the confusion - I've been patching lots of machines

 

[noric]

I've been patching lots of machines

Lol

BTW, let's wait for optware/entware update.

 

[RMerlin]

I've been patching lots of machines

I updated 103 VMs for a customer yesterday. Thank God for Xen + the yum command...

 

[cosmoxl]

just ran ipkg update and ipkg upgrade and indeed there is now an update for bash. excellent.

"Upgrading bash on /opt/ from 3.2.49-1 to 3.2.52-1..."

 

[L&LD]

just ran ipkg update and ipkg upgrade and indeed there is now an update for bash. excellent.

"Upgrading bash on /opt/ from 3.2.49-1 to 3.2.52-1..."

But does that latest version have the fix?

 

[cosmoxl]

But does that latest version have the fix?

you know what I get when I assume....? Yeah, the update just came out, because I checked yesterday, so I assumed it would fix this. But, I just tested and I still get

busted
stuff

great. :-/

 

[L&LD]

you know what I get when I assume....? Yeah, the update just came out, because I checked yesterday, so I assumed it would fix this. But, I just tested and I still get

busted
stuff

great. :-/

Glad I asked the question.

 

[Raffael_M]

OpenVPN

what about this post about "Shellshocking OpenVPN servers":

https://news.ycombinator.com/item?id=8385332

it says: "OpenVPN servers are vulnerable to Shellshock under certain configurations. OpenVPN has a number of configuration options that can call custom commands during different stages of the tunnel session. Many of these commands are called with environmental variables set, some of which can be controlled by the client. One option used for username+password authentication is "auth-user-pass-verify". If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username. This attack vector is pre-auth."

does that mean using OpenVPN server with username+password auth on my RT-N66U is dangerous?

 

[RMerlin]

what about this post about "Shellshocking OpenVPN servers":

https://news.ycombinator.com/item?id=8385332

it says: "OpenVPN servers are vulnerable to Shellshock under certain configurations. OpenVPN has a number of configuration options that can call custom commands during different stages of the tunnel session. Many of these commands are called with environmental variables set, some of which can be controlled by the client. One option used for username+password authentication is "auth-user-pass-verify". If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username. This attack vector is pre-auth."

does that mean using OpenVPN server with username+password auth on my RT-N66U is dangerous?

Re-read your own quote:

...If the called script uses a vulnerable shell...

So once again, with more feeling...

There is NO BASH in the firmware, therefore there is NO VULNERABILITY.

 

[noric]

Still no updates for entware/optware bash. Any clue why it's taking so long? I would have thought this to take only a few days.

 

[RMerlin]

Still no updates for entware/optware bash. Any clue why it's taking so long? I would have thought this to take only a few days.

Entware was fixed over two weeks ago when they upgraded to 4.3.30:

https://github.com/Entware/entware/commit/80ccf7f386b861cfba95389a4bf519f9588f0115

As for Optware, you will have to ask the maintainers of these repo directly. They are not associated with Asuswrt in any way, and they most likely aren't on these forums either. I'm not even sure if either Optware repo is still being maintained.

 

[noric]

Thanks Merlin, I'm going to update then.
Actually I'm only using entware. As you said, optware looks more and more abandoned.