1

Topic: Shellshock and NIONs

As many people know, the NION series of products all use Linux on the host processor that provides the background management for the DSP's in the system. You may have heard something about the ShellShock vulnerability that existed in the BASH shell of Linux.

To be extremely clear: This vulnerability does exist in all NIONs with firmware 1.7.1 and earlier.

It has been fixed in all newer versions.

If you are using a NION with an older version of firmware and you would like to patch your system against this vulnerability, please download the attached file: NION_ShellShock_Patch.zip, unzip it, and follow the instructions in the ReadMe file for details on how to update your NION to remove the vulnerability. It is easy to do since it is just like updating the firmware in the NION.

Please post any questions or concerns about this subject in this thread.

Post's attachments

Attachment icon NION_ShellShock_Patch.zip 495.51 kb, 923 downloads since 2014-10-14 

Josh Millward
Burnt Orange Studios

2

Re: Shellshock and NIONs

Once the system has been patched is there a way to tell that it has? Is there any reference to it in the web interface indicating the system has the patch?

3

Re: Shellshock and NIONs

Hi Eric,

No, there is no way other than to test it.

Also, when you change firmware versions in the NIONs you will need to patch it again. So if you are running a lot of systems I would encourage patching them all now, then updating directly to 1.7.2 when it is available and never going back.

If you update the firmware in the NION to any version older than 1.7.2, you will always need to patch that version again.

Thanks!
Josh

Josh Millward
Burnt Orange Studios

4

Re: Shellshock and NIONs

Hi Josh,

Many NION systems remain unconnected to the Internet, so could you please help prioritise the most vulnerable installations so we can communicate this to our customers - many of whom are not very computer-literate.

Also, could you suggest appropriate references to pass on? I've quickly found these:
http://www.forbes.com/sites/jameslyne/2 … leed-3-0b/
http://www.digitaltrends.com/computing/ … inux-os-x/
http://www.zdnet.com/shellshock-how-to- … 000034072/
http://www.pcworld.com/article/2825032/ … loits.html

Thanks.

"The single biggest problem in communication is the illusion that it has taken place."
                                                                                        - George Bernard Shaw

5

Re: Shellshock and NIONs

That is a good point, Phil.

If you are using NIONs that are not connected to the Internet in any way, or are on a closed or private network, then none of this really means anything for you.

However, if you are running the NIONs connected to your enterprise network where you can ping them and pull up the web interfaces remotely, then it may be a good idea to make sure you have patched them.

I have been using the following string to test:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you copy that command and paste it into the command prompt of a NION, the output will tell you if it is vulnerable or not. An appropriately patched system will return the message as shown in the image below. A system which is vulnerable will show the word "vulnerable" on the line above "this is a test".

Post's attachments

Attachment icon ShellShock_Patched.jpg 27.78 kb, 580 downloads since 2014-10-17 

Josh Millward
Burnt Orange Studios

6

Re: Shellshock and NIONs

JoshM wrote:

Hi Eric,

No, there is no way other than to test it.

Also, when you change firmware versions in the NIONs you will need to patch it again. So if you are running a lot of systems I would encourage patching them all now, then updating directly to 1.7.2 when it is available and never going back.

If you update the firmware in the NION to any version older than 1.7.2, you will always need to patch that version again.

Thanks!
Josh

Update!!!
Apparently this is all wrong.

I have been doing some additional testing today and it appears that once it is patched, it is patched.

I would absolutely recommend testing your NION to determine if it needs to be patched, but it looks like once you have patched it, doing a firmware update will not undo the patch.

I have a NION here which was running NWare 1.7.1. I applied the patch to it. Then I changed the firmware to 1.6.1f and tested it again. It passed the vulnerability testing.

Regardless, this update will be rolled into 1.7.2 when it comes out so you can either patch it up now, or wait for 1.7.2 to come.

Josh Millward
Burnt Orange Studios