Shellshock update?

Hey WD!

What’s the story with a patch for the MyClouds? I poked around and noted that the MyCloud is using BusyBox v1.20.2 . 

in /bin, version command shows: GNU bash, version 4.2.0(1)-release (arm-unknown-linux-gnueabi)

~ # env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”
vulnerable
this is a test

Where’s my patch, yo?

1 Like

I second this…

As far as I understand this means that ALL WD My Cloud devices are currently wide open to hackers needing very little information and understanding to FULLY take control of the WHOLE device and ALL its contents.

If I am not mistaken this is as bad as it can get from a security point of view.

… so when are we to expect this update and what should we do in the meantime?

We had a bit of a debate about this on the EX2 side as well. 

http://community.wd.com/t5/WD-My-Cloud-EX2/BASH-or-ASH-Bad-News-Security-Bug/td-p/800561

Our conclusiopn is that since “BASH” is not the DEFAULT shell “ASH” is the default shell, then we aren not vulnerble to this bug.  Follow the thread for more info. 

Make no mistake, our copy of BASH should be patched, but it’s not super critical.

Further investigation reveals that since BASH is installed on our BusyBox machines, if someone has installed a script or Ipkg that calls on BASH we may in fact be vulnerable to the Shell Shock bug.  This places this back in the critical category, as I have no way of knowing why WD installed BASH in the first place.  So I guess I will need to remove remote access…

Forgive my lack of technical understanding here but am I not right that the first post actually shows the exploit being executed? and hence the technical explanations are a very distant secondary concern?

Its a problem if one of the various optional apps has been installed or if WD is calling on BASH for some executable they have installed by default.  (They havent said anything so we cant say for sure.) 

If WD has not installed anything by default that calls on BASH AND you havent installed any additional APPs that may call on BASH then your BusyBox based system is NOT vulnerable.

The test that was done in the first post was calling on the BASH shell specifically so of course it shows the box as being vulnerable.

Clear as mud huh?

I have the My Cloud single disk NAS product.  This is what I did.  First I did ssh login as root as user.

apt-get install --only-upgrade bash
sudo dpkg -i --force-overwrite /var/cache/apt/archives/bash_4.3-9.1_armhf.deb
apt-get install -f
env x=’() { :;}; echo vulnerable’ bash -c "echo this is a test

It was returning “vulnerable” before and now returns as patch.

~# env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

Tom Haney

1 Like

Thats good news Tom and thanks for the quick tutorial.  If WD will approve something like this for those of us using the EX series of drives it sure would be nice.  I just cant afford to risk my warranty by trying something like this without WD buying in.

Tom_Haney wrote:

I have the My Cloud single disk NAS product.  This is what I did.  First I did ssh login as root as user.

 

apt-get install --only-upgrade bash
sudo dpkg -i --force-overwrite /var/cache/apt/archives/bash_4.3-9.1_armhf.deb
apt-get install -f
env x=’() { :;}; echo vulnerable’ bash -c "echo this is a test

 

It was returning “vulnerable” before and now returns as patch.

 

~# env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

Tom Haney

Tom - The Linux and firmware used on the My Cloud is very different than the one used on EX2/EX4/Mirror. The experiences on that one often don’t apply to these products.

Vertech1 wrote:

Its a problem if one of the various optional apps has been installed or if WD is calling on BASH for some executable they have installed by default.  (They havent said anything so we cant say for sure.) 

 

If WD has not installed anything by default that calls on BASH AND you havent installed any additional APPs that may call on BASH then your BusyBox based system is NOT vulnerable.

 

The test that was done in the first post was calling on the BASH shell specifically so of course it shows the box as being vulnerable.

 

Clear as mud huh?

As far as I have seen, the apps that are pre-supplied with EX2/EX4 don’t have any reason to call bash. I cannot see any reason why these apps will have/may have scripts in them that will suddenly invoke bash shell. Almost always, apps will contain scripts that are self contained within the currently running shell and don’t have extra dependency of the presence of a bash shell. Yes, sometimes scripts do temporarily invoke another child process shell to get the results of something back (i.e. when in shell scripts you do the backtick shell invocation) - but that child shell is only running momentarily, not perpetually and is not available to any other process besides the script which is invoking it.

Tom_Haney wrote:

I have the My Cloud single disk NAS product.  This is what I did. 

What sources do you have in sources.list? 

I’m on bash 4.2.37 but apt-get outputs that I’m on the latest version of bash.

P.S: I also have a single disk nas.

my file is as follows:

/etc/apt# cat sources.list

deb http://ftp.us.debian.org/debian/ wheezy main
deb http://ftp.us.debian.org/debian/ jessie main
#deb http://ftp.us.debian.org/debian/ sid main
#deb http://ftp.us.debian.org/debian/ experimental main
#deb-src http://ftp.us.debian.org/debian/ wheezy main
#deb-src http://ftp.us.debian.org/debian/ jessie main

1 Like

joskevermeulen wrote:


Tom_Haney wrote:

I have the My Cloud single disk NAS product.  This is what I did. 


What sources do you have in sources.list? 

I’m on bash 4.2.37 but apt-get outputs that I’m on the latest version of bash.

 

P.S: I also have a single disk nas.

Please try not to discuss the My Cloud product in this EX4 forum - it’s firmware is different than the one for EX2/EX4 and unknowing users might think EX4 behaves the same way.

WD’s My Cloud family of personal cloud products is potentially susceptible to the BASH/ Shellshock vulnerability. WD’s default software configuration and typical deployment for My Cloud devices lowers the risk to this threat. WD takes this threat seriously and is working on a patch to address this issue.

1 Like

WD’s My Cloud family of personal cloud products is potentially susceptible to the BASH/ Shellshock vulnerability. WD’s >default software configuration and typical deployment for My Cloud devices lowers the risk to this threat. WD takes this >threat seriously and is working on a patch to address this issue.

Thanks Bill - the casual dismissals in this thread were really shaking my confidence in WD.  That said, we’re now 2 weeks in - any update?

wdmyclouduser wrote:

WD’s My Cloud family of personal cloud products is potentially susceptible to the BASH/ Shellshock vulnerability. WD’s >default software configuration and typical deployment for My Cloud devices lowers the risk to this threat. WD takes this >threat seriously and is working on a patch to address this issue.

 

Thanks Bill - the casual dismissals in this thread were really shaking my confidence in WD.  That said, we’re now 2 weeks in - any update?

Nothing specific.  But I do know that they’ll be rolling them out in the near future.  I think we’re in the midst of testing.  How that goes determines when.

Another 2 weeks… any news?

1 Like