What's new

Shellshock BASH bug and RT-N66U

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I've installed optware then bash on my ac68

when I substitute /opt/bin/bash into the proper place in the test command two lines are returned,
busted
stuff

or
vulnerable
this is a test

So, I guess I've got a problem?

Yes, the Optware (and Entware) versions of bash will need to be updated by the repository owners.
 
I've installed optware then bash on my ac68

when I substitute /opt/bin/bash into the proper place in the test command two lines are returned,
busted
stuff

or
vulnerable
this is a test

So, I guess I've got a problem?

Run:
Code:
opkg update && opkg upgrade
 
I've been patching lots of machines :eek:

I updated 103 VMs for a customer yesterday. Thank God for Xen + the yum command...
 
just ran ipkg update and ipkg upgrade and indeed there is now an update for bash. excellent. :)

"Upgrading bash on /opt/ from 3.2.49-1 to 3.2.52-1..."
 
just ran ipkg update and ipkg upgrade and indeed there is now an update for bash. excellent. :)

"Upgrading bash on /opt/ from 3.2.49-1 to 3.2.52-1..."

But does that latest version have the fix?
 
But does that latest version have the fix?

you know what I get when I assume....? Yeah, the update just came out, because I checked yesterday, so I assumed it would fix this. But, I just tested and I still get

busted
stuff

great. :-/
 
you know what I get when I assume....? Yeah, the update just came out, because I checked yesterday, so I assumed it would fix this. But, I just tested and I still get

busted
stuff

great. :-/

Glad I asked the question. :D
 
OpenVPN

what about this post about "Shellshocking OpenVPN servers":

https://news.ycombinator.com/item?id=8385332

it says: "OpenVPN servers are vulnerable to Shellshock under certain configurations. OpenVPN has a number of configuration options that can call custom commands during different stages of the tunnel session. Many of these commands are called with environmental variables set, some of which can be controlled by the client. One option used for username+password authentication is "auth-user-pass-verify". If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username. This attack vector is pre-auth."

does that mean using OpenVPN server with username+password auth on my RT-N66U is dangerous?
 
what about this post about "Shellshocking OpenVPN servers":

https://news.ycombinator.com/item?id=8385332

it says: "OpenVPN servers are vulnerable to Shellshock under certain configurations. OpenVPN has a number of configuration options that can call custom commands during different stages of the tunnel session. Many of these commands are called with environmental variables set, some of which can be controlled by the client. One option used for username+password authentication is "auth-user-pass-verify". If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username. This attack vector is pre-auth."

does that mean using OpenVPN server with username+password auth on my RT-N66U is dangerous?

Re-read your own quote:

...If the called script uses a vulnerable shell...


So once again, with more feeling...

There is NO BASH in the firmware, therefore there is NO VULNERABILITY.
 
Still no updates for entware/optware bash. Any clue why it's taking so long? I would have thought this to take only a few days.
 
Still no updates for entware/optware bash. Any clue why it's taking so long? I would have thought this to take only a few days.

Entware was fixed over two weeks ago when they upgraded to 4.3.30:

https://github.com/Entware/entware/commit/80ccf7f386b861cfba95389a4bf519f9588f0115

As for Optware, you will have to ask the maintainers of these repo directly. They are not associated with Asuswrt in any way, and they most likely aren't on these forums either. I'm not even sure if either Optware repo is still being maintained.
 
Thanks Merlin, I'm going to update then.
Actually I'm only using entware. As you said, optware looks more and more abandoned.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top