Remote vulnerability bash package

bug description:

i try test my WDcloud (firmware v04.00.01-623):

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

 and my result:


this is a test"

Do you have any idea how to fix the vulnerability, without breaking the cloud system?

WD’s My Cloud family of personal cloud products is potentially susceptible to the BASH/ Shellshock vulnerability. WD’s default software configuration and typical deployment for My Cloud devices lowers the risk to this threat. WD takes this threat seriously and is working on a patch to address this issue.


Today I fixed the last vulnerability in bash (CVE-2014-7186 (redir_stack bug)):

# apt-get update
# apt-get install --only-upgrade bash

Get:1 jessie/main bash armhf 4.3-11 [1099 kB]

Check version:

# bash --version

 GNU bash, version 4.3.30(1)-release (arm-unknown-linux-gnueabihf)

Check vulnerable script:

# curl | bash

CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian’s patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on not vulnerable