Spark (or actually telecom) provided routers vulnerable to Shellshock?

Forums › Spark New Zealand (including Skinny and BigPipe) › Spark (or actually telecom) provided routers vulnerable to Shellshock?

jacwlg

43 posts

Geek
+1 received by user: 8

#153472 27-Sep-2014 22:24

I have a ONT and a router provided by telecom for my fibre connection, are they vulnerable to the Shellshock bug?

I couldn't find any information on Spark's website.

wasabi2k

2102 posts

Uber Geek
+1 received by user: 860

#1142883 28-Sep-2014 09:28

Are either actually accessible to the internet?

You need a process that is internet accessible (apache etc) for it to actually be an issue externally.

jacwlg

43 posts

Geek
+1 received by user: 8

#1142884 28-Sep-2014 09:32

wasabi2k: Are either actually accessible to the internet?

You need a process that is internet accessible (apache etc) for it to actually be an issue externally.

i don't run web servers or anything but I do run things like BitTorrent and have configured port forwarding on the router, does that matter?

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1142885 28-Sep-2014 09:42

He's asking if those processes run on the modem/router itself.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

jacwlg

43 posts

Geek
+1 received by user: 8

#1142887 28-Sep-2014 09:46

freitasm: He's asking if those processes run on the modem/router itself.

thanks.

No, the BT client runs on a Windows machine, the router only does port forwarding.

eXDee

4033 posts

Uber Geek
+1 received by user: 1070

Trusted

#1142926 28-Sep-2014 12:35

My Guess: Probably not. Most embedded devices in the modem/router category don't tend to run full bash, they tend to run busybox due to its small footprint.
Of course there are exceptions to this, which is why this bug is a problem even for embedded devices.

If you can get a telnet or ssh session open, use bash --version or echo $BASH_VERSION to see if you have it

raytaylor

4076 posts

Uber Geek
+1 received by user: 1296

Trusted

#1143005 28-Sep-2014 16:11

I'd be more worried about the dynalink routers that a certain ~4th largest ISP in the country was sending out to customers for about 5 years with admin/admin credentials and the port 80 web admin accessible on the WAN interface, with the DSL username and password in plaintext on the ppp settings page sourcecode.

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

hio77

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#1143006 28-Sep-2014 16:13

raytaylor: I'd be more worried about the dynalink routers that a certain ~4th largest ISP in the country was sending out to customers for about 5 years with admin/admin credentials and the port 80 web admin accessible on the WAN interface, with the DSL username and password in plaintext on the ppp settings page sourcecode.

dlinks were bad for this too :/

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

jacwlg

43 posts

Geek
+1 received by user: 8

#1143174 28-Sep-2014 22:07

eXDee: My Guess: Probably not. Most embedded devices in the modem/router category don't tend to run full bash, they tend to run busybox due to its small footprint.
Of course there are exceptions to this, which is why this bug is a problem even for embedded devices.

If you can get a telnet or ssh session open, use bash --version or echo $BASH_VERSION to see if you have it

thanks for he information.

I didn't have luck getting telnet or ssh to work, I can get a telnet session but the user/password from the web interface doesn't work for telnet, ssh doesn't even connect.