I went ahead and opened a ticket with WD support to see what they have to say about this.
Unless someone’s custom script specifically invokes bash, bash won’t start. But as I am sure you know, that is not considered an in-warranty usage of the device. If someone does write such a script, it is not something WD provides support for. So I do not think a fix for this can be or should be expected from WD at this point, given the extremely small number of people affected for using an out-of-warranty usage of the product. I personally think it is a non-issue for EX2 users, because one can get all the scripts one can possibly need to run using the BusyBox shell.
So in your opinion NONE of the apps that WD has made available for the EX2 or EX4 will ever invoke BASH when installed through the normal Add App Menu Item? I personally dont think you can make that statement without going through each and every app with a fine tooth comb. I hope that it is true, but WD needs to put the final word out on this. The other way you could test this would be to rename or remove BASH and test by installing all of the Apps one at a time and verify they are functional. Oops, that will void your warranty…
Vertech1 wrote:
What is the default shell for the busybox distro we are running on our EX2’s and EX4’s. As you may have heard BASH has been identified as having a severe security bug.
**EDIT**
I just took a peak at the EX2 source files and I see BASH 4.2 is included. I have to assume this means our box is vulnerable to the security bug.
**EDIT 2**
“ASH” is the default shell and is not effected by the security flaw in BASH. BASH is included as an optional shell only.
However, further investigation reveals that since BASH is installed on our BusyBox machines, if someone has installed a script or Ipkg that calls on BASH we may in fact be vulnerable to the Shell Shock bug. This places this back in the critical category, as I have no way of knowing why WD installed BASH in the first place. So I guess I will need to remove remote access…
Hi,
We have passed this along to support
Vertech1 wrote:
So in your opinion NONE of the apps that WD has made available for the EX2 or EX4 will ever invoke BASH when installed through the normal Add App Menu Item? I personally dont think you can make that statement without going through each and every app with a fine tooth comb. I hope that it is true, but WD needs to put the final word out on this. The other way you could test this would be to rename or remove BASH and test by installing all of the Apps one at a time and verify they are functional. Oops, that will void your warranty…
Not trying to make this personal, but yes, that is my opinion. I agree - I cannot say that withh 100% certainty as I cannot go through every line of script involved - but that is an unusually odd way to design an app installer to invoke a child shell AND not just that but to keep the child shell perpetually running, when the app will be running in a different shell (because PHP and other processes are not available to the child shell and so the app needs to run in the main shell). It makes no sense. As far as I know, I may be the only EX2 user who is running a modded shell daemon on the EX2…and also recently installed the latest Joomla (version 3.3.3). So I do have some experience in modding my EX2 and with the EX2’s internals.
I am not trying to attack you personally and I apologize if I came across that way - all I am saying is this is much ado about nothing 
But fine, let WD engineering weigh in, now that this has been sent up the WD chain.
I still have an issue with BASH being on the box if it is not being called by something. If it is not needed then WD should simply say so and we can all delete it and move on. I suspect it’s not that simple, again, I hope I’m wrong, but I dont like to take chances with my data.
Given the nature of this vulnerability WD should weigh in and end the speculation. Hopefully this being sent to support will help that along.
Vertech1 wrote:
I still have an issue with BASH being on the box if it is not being called by something.
I disagree. This is quite common in Unix/Linux systems. Very often additional shells are provided for convenience and are not necessarily implied that they are used. Really the simplest way to test all this is to install every single bundled app and then check to see if in the list of processes anyone is bash - otherwise bash has not been invoked.
Vertech1 wrote:
Given the nature of this vulnerability WD should weigh in and end the speculation. Hopefully this being sent to support will help that along.
I agree. BTW, thought I’d mention one small thing - the BusyBox shell we have does not allow ipkg installs.
Most importantly, AFAIK the vulnerability is ONLY possible if the shell allows unauthorized users to execute commands. Given how locked down the shell on the EX2 is, that isn’t even an issue. And the CGI scripts that are used on the dashboard’s functions are limited to the admin user - even if the dashboard cloud access is enabled. These are just my thoughts. But yes, let’s see what WD support has to say about this.
If you do not know for certain there is no vulnerability, then it is irresponsible to say there isnt. Period. WD needs to let us know. Also, to leave a known security risk unpatched is just as irresponsible.
From what I have seen and this inclludes looking at my other BusyBox based systems other vendors are not always providing an optional shell. They only provide ASH compiled within BusyBox. Regardless, WD needs to be the final authority, and to provide a false sense of security by publishing statements that there is no need for concern is wrong.
I’m not trying to say that the sky is falling, I’m just saying that there is a definite possibility that we are vulnerable and we need answers. In the subject of my very first post I acknowledge the possibility that we could be using ASH instead of BASH for the default shell. I did say that this is critical, and I stand by that statement. Hopefully WD will look at this and say that we have no need for concern and just patch or remove BASH. I do not claim to be a security expert, I do claim to have been in the business since 1980 and I have been surprised enough that I never say never. If there is a vulnerable file on my system, I want it corrected.
WD’s My Cloud family of personal cloud products is potentially susceptible to the BASH/ Shellshock vulnerability. WD’s default software configuration and typical deployment for My Cloud devices lowers the risk to this threat. WD takes this threat seriously and is working on a patch to address this issue.
2 Likes
For anyone interested, the Linux included in the EX2 is a Linaro for ARM distro.
