• Home Support Forums Security Advisories Shop     English | French
Security Announcement
Announcement > SAP10044
"Shell Shock" - GNU Bash shell vulnerabile to command injection vulnerability that may allow remote code execution.
Publication ID: SAP10044
Resolved Status: Open
Published on: 25 September 2014 9:24 GMT
Last updated on: 6 October 2014 11:05 GMT

Overview

 

It has been found that GNU Bash 4.3 command shell, and earlier contains a command injection vulnerability that may allow remote code execution. Bash supports exporting of shell functions to other instances of bash using an environment variable. This environment variable is named by the function name and starts with a "() {" as the variable value in the function definition. When Bash reaches the end of the function definition, rather than ending execution it continues to process shell commands written after the end of the function. This vulnerability is especially critical because Bash is widespread on many types of devices (UNIX-like operating systems including Linux, BSD, and Mac OS X), and because many network services utilize Bash, causing the vulnerability to be network exploitable.

 

D-Link is currently investigating its product-lines and will continue to update information. 

 

As of September 24, 2014, D-Link consumer wired/wireless routers and wired/wirless network cameras do not utilize the Bash command shell.

 

 

References

 

CERT Vulnerability Report: VU#252743 -  http://www.kb.cert.org/vuls/id/252743

 

Other relavant articles recommended by CERT:

 

  https://access.redhat.com/node/1200223

  https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

  http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html

  https://blogs.akamai.com/2014/09/environment-bashing.html

 

Description

 

In order to maintain author's intent of the disclosure please read at: http://www.kb.cert.org/vuls/id/252743

 

 

Recommendation

 

Please update your device firmware if your product is referenced under affected products below. Continue to monitor this page until we have  completed our investigation and changed the status to closed.

 

We recommend all networks are proteced by a firewall or better security policy to mitigate a malicious remote user attacks

 

All devices on your network should have log-in credentials and WiFi encryptiion-keys enabled, if applicable. 

 

WiFi encryption reduces the risk to this vulnerabilty if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption.

 

Please be aware that "Shell Shock" creates largest risk for  Personal Computers and Servers that utilize the Bash command shell.  Please consult your manufacture or operating systems vendor for information and updates. If a computer becomes compromised, it maybe used to compromise networks without your authorization,  which puts all other network devices at risk.

 

D-Link Systems (D-Link US) reminds customers to configure their devices specifically to the for security concerns with in each network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enable WiFi encrytion, and evaluate all security risks for your network regularly.


 

Affected Product

 

None.  All D-Link Devices and Software have been cleared and are not affected by this vulnerability. All D-Link Services have been audited for the use of bash shell implementations. Based on the results of the audit we have applied appropriate updates, if required to close this potential vulnerability.  D-Link continues to monitor CERT incase of further issues are reported about the Bash Shell. (Edited: 10/06/2014 15:52 PST)