Jump to content
TheUberOverLord

Bash Bug AKA Shellshock Make Sure Your IP Cameras Get Patch

Recommended Posts


I don't think Hikvision or Dahua products are vulnerable, as they use busybox.

 

That's only what I've read, I've not done any code analysis.

Share this post


Link to post
Share on other sites

CBX!

Agree.

However, the most likely vulnerability exists another kind.

I think this may be the CGI API, PSIA API, which is used and Dahua and Hikvision.

Share this post


Link to post
Share on other sites

One does not have to go back in history that far to know that Hikvision cameras were susceptible to the Heartbleed SSL vulnerability, so it's possible, but not common. Certainly not any more vulnerable than devices you use daily like smartphones, tablets, laptops.

Share this post


Link to post
Share on other sites

I get stuff echoed back on my Hikvision after enabling telnet. Good to know it's safe for now.

 

# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

stuff

 

This is for a SWNHD-820CAM with V5.1.0 build 131202.

 

 

"I’m a system admin – what can I do?

Firstly, discovering if you’re at risk is trivial as it’s such an easily reproducible risk. There’s a very simple test The Register suggests which is just running this command within your shell:

 

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

You get “busted” echo’d back out and you’ve successfully exploited the bug."

Share this post


Link to post
Share on other sites

QNAP NAS Front-Ends have fixes for Bash AKA Shellshock now:

 

http://forum.qnap.com/viewtopic.php?f=12&t=98167&sid=4c0f42e64b3a9887911370dedca360ee

 

http://forum.qnap.com/viewtopic.php?f=187&t=98188

 

http://forum.qnap.com/viewtopic.php?f=12&t=98031&sid=4c0f42e64b3a9887911370dedca360ee

 

HomeTroller Zee Front-End has fixes for Bash AKA Shellshock now:

 

http://board.homeseer.com/showpost.php?p=1139412&postcount=1

 

Synology Front-End has fixes for Bash AKA Shellshock now:

 

https://www.synology.com/en-global/support/security/bash_shellshock

 

Synology support forum: http://forum.synology.com/enu/index.php

 

Note: If you have added Optware/Entware installed on any of the above devices. You should use the support forums for those devices. Above. If you have Optware/Entware installed in your Router/AP as a custom add-on you should also go to the support forum for that Router/AP because both Optware/Entware do use "Bash" even if the Router/AP does not use "Bash" as its default shell and both Optware/Entware can be vulnerable to these "Bash" vulnerabilities. Depending on how you set them up and any custom scripts you may allow to access them remotely.

 

Netgear Front-Ends: ReadyNAS, ReadyDATA, ProSECURE UTM firewall and ProSAFE FVS318N have fixes for Bash AKA Shellshock now:

 

http://kb.netgear.com/app/answers/detail/a_id/25703

 

OpenVPN Issues to be aware of:

 

http://www.theregister.co.uk/2014/09/30/openvpn_open_to_shellshock_researcher/

 

VMware Issues to be aware of:

 

http://s1.securityweek.com/vmware-releases-software-updates-fix-shellshock-bug

 

Cisco/Oracle Issues to be aware of:

 

http://www.computerworld.in/news/cisco,-oracle-find-dozens-of-their-products-affected-by-shellshock

 

McAffee Products has fixes for Bash AKA Shellshock now:

 

https://kc.mcafee.com/corporate/index?page=content&id=SB10085#status

 

Symantec Products has fixes for Bash AKA Shellshock now:

 

http://www.symantec.com/outbreak/?id=shellshock

 

Avaya Products has fixes for Bash AKA Shellshock now:

 

https://support.avaya.com/helpcenter/getGenericDetails?detailId=C2014926131554370002

 

Kace Endpoint Systems Management Products has fixes for Bash AKA Shellshock now:

 

http://www.kace.com/support/resources/kb/solutiondetail?sol=133716

 

Riverbed Products has fixes for Bash AKA Shellshock now:

 

https://supportkb.riverbed.com/support/index?page=content&id=S24997

 

Untangle Products has fixes for Bash AKA Shellshock now:

 

https://support.untangle.com/hc/en-us/articles/203518036-What-is-ShellShock-Are-Untangle-products-vulnerable-

 

pfSense Products has fixes for Bash AKA Shellshock now:

 

https://www.pfsense.org/security/advisories/pfSense-SA-14_18.packages.asc

 

Additional Bash Flaws Show Weakness of Original Shellshock Patch now:

 

http://www.infosecurity-magazine.com/news/additional-bash-flaws-original/

 

Windows What to understand and know about Bash AKA Shellshock vulnerabilities:

 

http://grandstreamdreams.blogspot.com/2014/10/shellshockbash-bug-news-and-linkage.html

 

Bash AKA Shellshock vulnerability determined to have been present since at least 12/08/1991. Investigation continues on how far back it goes:

 

http://www.openwall.com/lists/oss-security/2014/10/04/2

 

Outstanding known not public vulnerabilities

 

I use a standard protocol when I encounter vulnerabilities with devices/software which I have used for many years when doing security research testing. I allow the Manufacturers/Vendors 30 days before I go public with my findings. Worse case I may give a 15 day extension if the Manufacturer/Vendor works with me, to help better prove they are actively working on a fix. Example:

 

http://www.kb.cert.org/vuls/id/265532

 

I am aware of three other embedded devices which include other Front-Ends and one IP Camera. Which while testing I found had exposure to the current "Bash" vulnerabilities and am waiting on responses from the Manufacturers/Vendors. Based on each Manufacturers/Vendors response will help me decide if I will create a formal CVE for the vulnerability. Which sometimes I don't do and work with the Manufacturer/Vendor privately. If they don't play games. If they do play games, then I do file a formal CVE as the above CVE example link shows. Foscam has never played any games with me other than the first time. Which is sometimes normal. Since then, I have worked privately with Foscam to fix many vulnerability issues I have found since. Personally, I would rather work privately then file a formal CVE.

 

I will add other Front-Ends and/or IP Cameras to this list as their Manufacturers/Vendors provide fixes that I locate and find here as well.

 

Don

Share this post


Link to post
Share on other sites

There are now Seven not Six any longer "Bash" AKA Shellshock vulnerabilities which have been located as of 10/04/2014 4:00 PM CTD time. More here:

 

https://shellshocker.net/

 

These are NEW items added to the list. Please also see the post above of other list items.

 

McAffee Products has fixes for Bash AKA Shellshock now:

 

https://kc.mcafee.com/corporate/index?page=content&id=SB10085#status

 

Symantec Products has fixes for Bash AKA Shellshock now:

 

http://www.symantec.com/outbreak/?id=shellshock

 

Avaya Products has fixes for Bash AKA Shellshock now:

 

https://support.avaya.com/helpcenter/getGenericDetails?detailId=C2014926131554370002

 

Kace Endpoint Systems Management Products has fixes for Bash AKA Shellshock now:

 

http://www.kace.com/support/resources/kb/solutiondetail?sol=133716

 

Riverbed Products has fixes for Bash AKA Shellshock now:

 

https://supportkb.riverbed.com/support/index?page=content&id=S24997

 

Untangle Products has fixes for Bash AKA Shellshock now:

 

https://support.untangle.com/hc/en-us/articles/203518036-What-is-ShellShock-Are-Untangle-products-vulnerable-

 

pfSense Products has fixes for Bash AKA Shellshock now:

 

https://www.pfsense.org/security/advisories/pfSense-SA-14_18.packages.asc

 

Additional Bash Flaws Show Weakness of Original Shellshock Patch now:

 

http://www.infosecurity-magazine.com/news/additional-bash-flaws-original/

 

Windows What to understand and know about Bash AKA Shellshock vulnerabilities:

 

http://grandstreamdreams.blogspot.com/2014/10/shellshockbash-bug-news-and-linkage.html

 

Bash AKA Shellshock vulnerabiltiy determined to have been present since at least 12/08/1991. Investigation contunues on how far back it goes:

 

http://www.openwall.com/lists/oss-security/2014/10/04/2

 

Don

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×