<div dir="ltr">This requires access to the shell interpreter (in this case bash). So, an exploiter would already need local execution privileges on the target machine, which looks like is being accomplished through apache mod_cgi on known exploits.<div><br></div><div>OpenWRT-based firmwares use uhttpd and luci for CGI apps, so the ash/busybox binary presumably (?) wouldn't be involved.<div><br></div><div>Definitely run security updates on any Ubuntu/Debian/Redhat/OS X boxen, though.</div><div><br></div><div><a href="http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html" target="_blank">http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html</a><br></div><div><br></div><div>Ubuntu:</div><div><a href="http://www.ubuntu.com/usn/usn-2362-1/" target="_blank">http://www.ubuntu.com/usn/usn-2362-1/</a><br></div><div><br></div><div>Debian:</div><div><a href="https://lists.debian.org/debian-security-announce/2014/msg00220.html" target="_blank">https://lists.debian.org/debian-security-announce/2014/msg00220.html</a><br></div><div><a href="https://lists.debian.org/debian-security-announce/2014/msg00221.html">https://lists.debian.org/debian-security-announce/2014/msg00221.html</a><br></div><div><br></div><div>Redhat:</div><div><a href="https://access.redhat.com/announcements/1210053" target="_blank">https://access.redhat.com/announcements/1210053</a><br></div><div><a href="https://access.redhat.com/articles/1200223" target="_blank">https://access.redhat.com/articles/1200223</a><br></div><div><br></div><div>OS X (must recompile bash):</div><div><a href="http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7" target="_blank">http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7</a><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 25, 2014 at 9:53 AM, Dan Staples <span dir="ltr"><<a href="mailto:danstaples@opentechinstitute.org" target="_blank">danstaples@opentechinstitute.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">The news about the Shell Shock/Bash bug[1] has gotten pretty big now.<br>
There's also a lot of rhetoric about this being a bigger deal than the<br>
Heartbleed vulnerability. I am wondering if it's worth putting up a<br>
quick blog post on the Commotion website that the router firmware is<br>
*not* vulnerable (since OpenWRT comes with the ash shell by default<br>
rather than bash).<br>
<br>
Thoughts?<br>
<br>
Dan<br>
<br>
[1] <a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271" target="_blank">https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271</a><br>
<span><font color="#888888"><br>
--<br>
Dan Staples<br>
<br>
Open Technology Institute<br>
<a href="https://commotionwireless.net" target="_blank">https://commotionwireless.net</a><br>
OpenPGP key: <a href="http://disman.tl/pgp.asc" target="_blank">http://disman.tl/pgp.asc</a><br>
Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9<br>
_______________________________________________<br>
Commotion-dev mailing list<br>
<a href="mailto:Commotion-dev@lists.chambana.net" target="_blank">Commotion-dev@lists.chambana.net</a><br>
<a href="https://lists.chambana.net/mailman/listinfo/commotion-dev" target="_blank">https://lists.chambana.net/mailman/listinfo/commotion-dev</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>Ben West<div><a href="http://gowasabi.net" target="_blank">http://gowasabi.net</a><br><a href="mailto:ben@gowasabi.net" target="_blank">ben@gowasabi.net</a><br>314-246-9434<br></div>
</div></div>