QNAP again?
install an ELF backdoor
Clearly these are TROLLs.
Hackers are attempting to exploit the BASH remote code injection vulnerability against Network Attached Storage (NAS) systems. Miscreants are actively exploiting the time-to-patch window in targeting embedded devices, security firm FireEye warns. We have evidence that attackers are actively exploiting the time-to-patch window …
Not strictly true - it does use bash, but only internally and for non-public (AKA user accessible) stuff so it's still worth patching (When they release it) in case a seperate vulnerability exposes bash subsequently.
So it's not a priority (there aren't any known exploitation vectors at this time) but you want to keep tabs on the updates.
https://www.synology.com/en-global/support/security/bash_shellshock
Steven R
"Not strictly true - it does use bash, but only internally and for non-public (AKA user accessible) stuff so it's still worth patching (When they release it) in case a seperate vulnerability exposes bash subsequently."
A fix for this came through a couple of days ago.
QNAP released a fix on Saturday (4.1.1 build 0927) which fixes to 2 most urgent ones, and a Qfix is coming up that fixes the rest. There will even be a fix for the stone-age TS-109/209/409 models.
There was a global notification on their forum, a mail to all user contacts they have, and the NAS itself should tell you when you log into the admin interface.
Not necessarily. QNAP is not the only system to deploy a (badly) embedded fat linux distro. IIRC some dlink boxes do it too.There are others.
To add insult to injury the ones that embed a "fatter" distro are the ones where you are likely to find something clueless like using bash in a web ui.
most of the router firmware I've seen uses busybox's built in minimal shell.
# ash --version
BusyBox v1.14.4 (2010-06-27 20:11:16 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# sh --version
BusyBox v1.14.4 (2010-06-27 20:11:16 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.
What huawei devices do you have? I know some of their devices are vulnerable as we've tested, and others are ok. They make a lot of product lines and identifying which is which would start a witchhunt against me so you are going to have to get you or your techies to do your own legwork.
I don't want to belittle this issue, but a lot of reports from security firms have spoken about "actively exploiting" but what does that mean? Is it that they have seen network traffic or honeypot attacks, or that the attacks have succeeded? It still seems to me that while the potential for shellshock to be severe is great, the actual typical implementations of how bash is used reduces that potential significantly.
Definitely not belittling the issue, but it would be interesting to see info on successful attacks rather than traffic attempts, and interesting to see data from relatively dispassionate security researchers rather than companies with magic bullets to flog.
That pretty cool black-and-white background photo with the otherworldly death screen is revealed to be a shopped version of a photo by Rodrigo Basaure.
I suppose this is all on the level?