back to article Bash bug flung against NAS boxes

Hackers are attempting to exploit the BASH remote code injection vulnerability against Network Attached Storage (NAS) systems. Miscreants are actively exploiting the time-to-patch window in targeting embedded devices, security firm FireEye warns. We have evidence that attackers are actively exploiting the time-to-patch window …

  1. Destroy All Monsters Silver badge
    Trollface

    QNAP again?

    install an ELF backdoor

    Clearly these are TROLLs.

    1. Anonymous Coward
      Anonymous Coward

      Re: QNAP again?

      Mmmm, won't stop the Microsoft crowd from sCOFFing though.

      1. Anonymous Coward
        Anonymous Coward

        Re: QNAP again?

        Shame you can't get the ~ $200 Window Storage Server license on it's own. That would be a much more secure option for NAS with x86 type CPUs:

        http://www.high-rely.com/hr_66/windows-storage-server-2012-licensing/

  2. Khaptain Silver badge

    Synology users Ok

    Just had a quick check, My Synology box is running Busybox with 'ash' shell so glad not to be amongst the shell shocked hit list of potential targets...

    1. Steven Raith

      Re: Synology users Ok

      Not strictly true - it does use bash, but only internally and for non-public (AKA user accessible) stuff so it's still worth patching (When they release it) in case a seperate vulnerability exposes bash subsequently.

      So it's not a priority (there aren't any known exploitation vectors at this time) but you want to keep tabs on the updates.

      https://www.synology.com/en-global/support/security/bash_shellshock

      Steven R

      1. John Tserkezis

        Re: Synology users Ok

        "Not strictly true - it does use bash, but only internally and for non-public (AKA user accessible) stuff so it's still worth patching (When they release it) in case a seperate vulnerability exposes bash subsequently."

        A fix for this came through a couple of days ago.

        1. Steven Raith

          Re: Synology users Ok

          I thought that was the case, but I'm running 5.1 Beta so I'm not sure how that's affected. It's only accessible via a VPN (like the rest of my kit) so I'm not overly concerned at this stage.

          Steven R

      2. david 12 Silver badge

        Re: Synology users Ok

        --Which also points to the limitations of using the well-known test script to test your shell vulnerability.

        The shell you test may not be vulnerable, but the other users and other services my be using some other shell.

  3. Anonymous Coward
    Anonymous Coward

    Miscreants?

    I imagine security services the world over are trying it on. If not, why not? It's a golden opportunity to get into targets' systems.

    1. Random Handle

      Re: Miscreants?

      >If not, why not?

      They may as well have a bash?

  4. Anonymous Coward
    Anonymous Coward

    Not exposed ..

    Ah, the value of modding things. I have a non-standard port running an SSH tunnel with a certificate and the rest of the incoming ports are shut. I still have vewwy quiet logfiles :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Not exposed ..

      I just put mine behind firewalls and if I need remote access, I have SSL VPN that I can use with two-factor authentication.

    2. shiftee

      Re: Not exposed ..

      One might almost say too quiet...

      1. Anonymous Coward
        Anonymous Coward

        Re: It's fascinating.

        Whenever I get worried about security vulnerabilities I just come into the comment section where the fact that one or two anonymous posters claim to be safe sets my mind to rest.

        Relief!

        1. itzman

          Re: It's fascinating.

          I get terribly worried and then go into it enough to understand it, and find I wasn't after all in any danger.

  5. petur
    Boffin

    Firmware with patch was released on Saturday

    QNAP released a fix on Saturday (4.1.1 build 0927) which fixes to 2 most urgent ones, and a Qfix is coming up that fixes the rest. There will even be a fix for the stone-age TS-109/209/409 models.

    There was a global notification on their forum, a mail to all user contacts they have, and the NAS itself should tell you when you log into the admin interface.

    1. petur

      Re: Firmware with patch was released on Saturday

      The hotfix for the remaining shellshock vulnerabilities just landed:

      http://download.qnap.com/Storage/Qfix/Qfix_Bash_update_1.0_20141001_x86_ARM.zip

      More info:

      http://forum.qnap.com/viewtopic.php?f=5&t=98188

  6. Eugene Crosser

    Miscreants will be hard pressed to find bash on embedded systems

    - they usually run busybox(/ash) or some other "lesser" shell.

    "Real" servers, and especially hosted VMs that boot from pre-built system images are probably more lucrative.

    1. Voland's right hand Silver badge

      Re: Miscreants will be hard pressed to find bash on embedded systems

      Not necessarily. QNAP is not the only system to deploy a (badly) embedded fat linux distro. IIRC some dlink boxes do it too.There are others.

      To add insult to injury the ones that embed a "fatter" distro are the ones where you are likely to find something clueless like using bash in a web ui.

  7. Sarev

    Routers

    I'm waiting for them to target (ADSL) routers - but I suppose the majority use ash rather than bash so that'll hopefully mitigate it.

    1. pierce

      Re: Routers

      most of the router firmware I've seen uses busybox's built in minimal shell.

      # ash --version

      BusyBox v1.14.4 (2010-06-27 20:11:16 PDT) built-in shell (ash)

      Enter 'help' for a list of built-in commands.

      # sh --version

      BusyBox v1.14.4 (2010-06-27 20:11:16 PDT) built-in shell (ash)

      Enter 'help' for a list of built-in commands.

  8. Anonymous Coward
    Anonymous Coward

    She shells C shells on the WAN side.

    That is all

    1. Shannon Jacobs

      What about Huawei shells?

      Mostly I'm tracking this topic to find out if any of my Huawei devices is vulnerable. Not a peep yet, nor any warning on the Huawei website (on the last check).

      1. Anonymous Coward
        Anonymous Coward

        Re: What about Huawei shells?

        What huawei devices do you have? I know some of their devices are vulnerable as we've tested, and others are ok. They make a lot of product lines and identifying which is which would start a witchhunt against me so you are going to have to get you or your techies to do your own legwork.

    2. Irongut

      Re: She shells C shells on the WAN side.

      She sells Bash shells on the C shore.

      Better I think.

      1. Anonymous Coward
        Anonymous Coward

        Re: She shells C shells on the WAN side.

        "She sells Bash shells on the C shore.

        Better I think."

        More modern, definitely.

        And more modern is always more better, isn't it.

  9. Anonymous Coward
    Anonymous Coward

    Smoke, yes, but is there a fire?

    I don't want to belittle this issue, but a lot of reports from security firms have spoken about "actively exploiting" but what does that mean? Is it that they have seen network traffic or honeypot attacks, or that the attacks have succeeded? It still seems to me that while the potential for shellshock to be severe is great, the actual typical implementations of how bash is used reduces that potential significantly.

    Definitely not belittling the issue, but it would be interesting to see info on successful attacks rather than traffic attempts, and interesting to see data from relatively dispassionate security researchers rather than companies with magic bullets to flog.

    1. itzman

      Re: Smoke, yes, but is there a fire?

      Plenty of attempts to find something in cgi-bin that produces a result here on my public server, but there isn't anything in cgi-bin.

      and the default shell is dash, not bash. So even though my debian is beyond upgrade, I am not concerned

  10. Destroy All Monsters Silver badge
    Trollface

    Hmmm.....

    That pretty cool black-and-white background photo with the otherworldly death screen is revealed to be a shopped version of a photo by Rodrigo Basaure.

    I suppose this is all on the level?

  11. David Gosnell

    QNAP

    My QNAP TS-212P was quickly patched, though there is word of a third vulnerability which the patch doesn't cover, so for the time being it's not accessible to the outside world. I note there's a "Qfix" dated yesterday that might well sort out the rest ... will investigate.

  12. Anonymous Coward
    Anonymous Coward

    Heard of a firewall?

    Who on earth has their NAS exposed to the internet?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like