BASH or ASH? - Bad News Security Bug

What is the default shell for the busybox distro we are running on our EX2’s and EX4’s.  As you may have heard BASH has been identified as having a severe security bug.

http://www.theverge.com/2014/9/24/6840697/worse-than-heartbleed-todays-bash-bug-could-be-breaking-security-for

**EDIT**

I just took a peak at the EX2 source files and I see BASH 4.2 is included.  I have to assume this means our box is vulnerable to the security bug.

**EDIT 2**

“ASH” is the default shell and is not effected by the security flaw in BASH.  BASH is included as an optional shell only.

However, further investigation reveals that since BASH is installed on our BusyBox machines, if someone has installed a script or Ipkg that calls on BASH we may in fact be vulnerable to the Shell Shock bug.  This places this back in the critical category, as I have no way of knowing why WD installed BASH in the first place.  So I guess I will need to remove remote access…

I thought Busybox WAS the shell.

BusyBox is the distribution, like Red Hat, or Debian, or Ubuntu. BusyBox is a variation of Linux geared towards imbedded systems because of its small size. All of the aforementioned distributions have their own shells. Most are using BASH however Debian defaults to DASH. You can also have more than one type or variant of shell as well. (just to add confusion…)

Just in-case, I have temporarily disabled remote access (~/settings–>remote access–>remote access–>disabled) to my device until we know more about this vulnerability.

The more I read the worse this looks.  WD could weigh in anytime now…

The reason I would consider busybox to be the shell is because if you do ls -l /bin/sh it should show you what the shell being used is and in this case it shows:
lrwxrwxrwx    1 root     root             7 Aug 12 04:57 /bin/sh → busybox

I was well aware of other Linux distros, but I believe WD does not use an off-the-shelf Linux distro, at least for this firmware line (they do use Debian, if I am not mistaken, for their My Cloud). From what I have seen, they build their own custom Linux distro and use BusyBox as their shell.

BusyBox is definitely the Linux varient being used by WD.  If you look at the source files used to compile this version of BusyBox you will see that BASH is clearly included.  That doesnt mean it is the default shell, there could be another, but BusyBox is not a shell, it is the OS.

I see the results of the ls command same as you, but I say again, BusyBox is not a shell it is a Linux OS.  Have a look at http://busybox.net  The following is from the busybox.net site;

BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system.

BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

BusyBox is maintained by Denys Vlasenko, and licensed under the GNU GENERAL PUBLIC LICENSE version 2.

Ok - according to wikipedia, BusyBox is using the ASH shell though the link cited as info source is no longer available. So it must be ASH then. (wiki citation  http://en.wikipedia.org/wiki/BusyBox#cite_note-16 )

Not to keep harping on this but if you go to the /etc directory on your EX2 and have a peek at the shells file contained there you will see the following;

/bin/bash2
/bin/bash
/bin/sh

Then notice in the /bin directory the symlinked bash file.  Never found the bash2 file though…

But I am sure this is a custom compiled Linux - WD takes the Linux kernel source code and compiles it with the BusyBox code.

There are lots of source code of included in WD’s firmware source code - and that is to provide those functionality. If you type bash from the command prompt on the EX2, you enter the bash shell temporarily (until you exit the bash shell). And the only reason you find the bash source code is because it is included on our EX2 as an optional available shell, and under GNU license is required to supply its source code.

BUT if you go to the wiki for ASH shell ( http://en.wikipedia.org/wiki/Almquist_shell ) you will see this line in the last line of the opening section at the top:
“Ash is also fairly popular in embedded Linux systems; its code was incorporated into the BusyBox catch-all executable often employed in this area.”

Vertech1 wrote:

Not to keep harping on this but if you go to the /etc directory on your EX2 and have a peek at the shells file contained there you will see the following;

 

/bin/bash2
/bin/bash
/bin/sh

 

Then notice in the /bin directory the symlinked bash file.  Never found the bash2 file though…

Most Unix/Linux systems provide multiple optional but available shells - some may prefer one over another. When I used to use AIX at work, I would often switch to BASH as I like it and am familiar with it.

Whew!  I now believe that ASH is the DEFAULT shell for the EX2.  I was able to confirm this by simply opening a SSH connection to the drive then invoking the “bash” shell, while in the bash shell I then invoked the “ash” shell and VOILA!  I was taken back to the default prompt.  So it appears that they did set the ASH shell as the default and as Cybernut1 said they included BASH as an optional shell.  As long as the default shell is not BASH we should be fine.

Well, that’s one test. But the defnitive test is (and perhaps I hadn’t clarified before why I did ls -l /bin/sh) is to list the running processes using ps -ef and then see what the shell is - for EX2, it shows -sh …which is the /bin/sh (since /bin is in the system’s path variable it is not needed to specify that)…and then all you need to see is what is /bin/sh really using and that’s why I did the ls -l /bin/sh, which told me it was BusyBox, which according to Wiki uses ASH.

And the reason I am sure that WD compiles their own custom Linux is because when you run uname -a, you get:

Linux WDMyCloudEX2 3.2.40 #1 Mon May 26 10:05:09 CST 2014 armv7l GNU/Linux

“Linux WDMyCloudEX2” tells me it’s their own compiled Linux, taking the Linux kernel and stacking it with the BusyBox shell (amongst other optional shells).

Yes you are correct Cybernut1.  And to complete my Mea Culpa this is from the busybox.net site as well;

Busybox is a package that replaces a dozen standard packages, but it is not by itself a complete bootable system. Building an entire Linux distribution from source is a bit beyond the scope of this FAQ, but it understandably keeps cropping up on the mailing list, so here are some pointers.

I don’t know what is My Cloud EX2, but I signed up just to inform that I have WD “My book live” and it is vulnerable.

MyBookLive:~# bash --version
GNU bash, version 3.2.39(1)-release (powerpc-unknown-linux-gnu)
Copyright (C) 2007 Free Software Foundation, Inc.
MyBookLive:~# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
busted
stuff

I hope someone in WD team is taking note of this and patching this soon.

Since I started this mess, I feel compelled to ask, are you certain that BASH is your DEFAULT shell?  I can get the exact same response by querying the BASH shell that you did, but BASH is NOT the default shell on the EX2.

vakharia - This is the sub-forum for My Cloud EX2 product. You should create a post in the sub-forum for My Book Live, where others who own one as well will be reading. EX2 users are not affected by this security issue.

I also just noticed that had I read the text you receive when logging in to the EX2 it says;

BusyBox v1.20.2 (2014-02-10 11:35:24 CST) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

~ #

End of discussion. 

Further investigation reveals that since BASH is installed on our BusyBox machines, if someone has installed a script or Ipkg that calls on BASH we may in fact be vulnerable to the Shell Shock bug.  This places this back in the critical category, as I have no way of knowing why WD installed BASH in the first place.  So I guess I will need to remove remote access…