Is Tonido vulnerable to Shellshock?

Support for Tonido on the Desktop including Windows/Mac/Linux
User avatar
zarmanto
Regular Tonidoid
Regular Tonidoid
Posts: 20
Joined: Tue Jun 04, 2013 10:25 am
Location: Around the corner from 7-11

Is Tonido vulnerable to Shellshock?

Postby zarmanto » Fri Sep 26, 2014 9:11 am

I know that the TonidoPlug is an embedded Linux device, and likely is vulnerable to Shellshock... but is Tonido vulnerable on other platforms as well?

Reference: Concern over Bash vulnerability grows as exploit reported “in the wild”

User avatar
madhan
Admin Tonidoid
Admin Tonidoid
Posts: 8617
Joined: Tue Dec 30, 2008 12:13 am
Location: Austin, TX, USA
Contact:

Re: Is Tonido vulnerable to Shellshock?

Postby madhan » Fri Sep 26, 2014 9:41 am

No.. its not vulnerable.

englebrp
Regular Tonidoid
Regular Tonidoid
Posts: 12
Joined: Sun Jun 26, 2011 10:47 pm

Re: Is Tonido vulnerable to Shellshock?

Postby englebrp » Fri Oct 03, 2014 3:50 pm

Being somewhat late in finding about the bash shellshock problem, I began looking for a way to test whether or not my systems and my tonido plugs were susceptible to this particular problem. I searched the web and found several different sites that talked about shellshock and how to test the systems. I then came to the Tonido Forum and found the entries in this thread. I tested my plug devices and they fail tests indicating that they are vulnerable.

The first test failed indicating vulnerabilty: bash shellshock test
https://securityblog.redhat.com/2014/09 ... on-attack/
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this echoed both "vulnerable" and "this is a test"

https://en.wikipedia.org/wiki/Shellshock_(software_bug)
The second test also failed: A system patched for both CVE-2014-6271 and CVE-2014-7169 will simply echo the word "date" and the file "echo" will not be created.
X='() { (a)=>\' bash -c "echo date"
cat echo
The file "echo" was created in the local directory.

I could continue and run more tests, but many will also indicate a vulnerability to the shellshock problem.

It appears that the Tonido Plug IS VULNERABLE to the shellshock problem. So, the question is: When will this problem be addressed and fixed?

THANKS for place to have a discussion.

User avatar
madhan
Admin Tonidoid
Admin Tonidoid
Posts: 8617
Joined: Tue Dec 30, 2008 12:13 am
Location: Austin, TX, USA
Contact:

Re: Is Tonido vulnerable to Shellshock?

Postby madhan » Fri Oct 10, 2014 10:55 am

TonidoPlug since it runs the older version of bash is vulnerable to shellshock but again unless you have multi-user accounts and other CGI-BIN access setup from a webserver it is not exploitable.


Tonido Desktop on other platforms is not vulnerable.


Return to “Tonido Software”

Who is online

Users browsing this forum: No registered users and 18 guests