Page 1 of 1

Is Tonido vulnerable to Shellshock?

Posted: Fri Sep 26, 2014 9:11 am
by zarmanto
I know that the TonidoPlug is an embedded Linux device, and likely is vulnerable to Shellshock... but is Tonido vulnerable on other platforms as well?

Reference: Concern over Bash vulnerability grows as exploit reported “in the wild”

Re: Is Tonido vulnerable to Shellshock?

Posted: Fri Sep 26, 2014 9:41 am
by madhan
No.. its not vulnerable.

Re: Is Tonido vulnerable to Shellshock?

Posted: Fri Oct 03, 2014 3:50 pm
by englebrp
Being somewhat late in finding about the bash shellshock problem, I began looking for a way to test whether or not my systems and my tonido plugs were susceptible to this particular problem. I searched the web and found several different sites that talked about shellshock and how to test the systems. I then came to the Tonido Forum and found the entries in this thread. I tested my plug devices and they fail tests indicating that they are vulnerable.

The first test failed indicating vulnerabilty: bash shellshock test
https://securityblog.redhat.com/2014/09 ... on-attack/
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this echoed both "vulnerable" and "this is a test"

https://en.wikipedia.org/wiki/Shellshock_(software_bug)
The second test also failed: A system patched for both CVE-2014-6271 and CVE-2014-7169 will simply echo the word "date" and the file "echo" will not be created.
X='() { (a)=>\' bash -c "echo date"
cat echo
The file "echo" was created in the local directory.

I could continue and run more tests, but many will also indicate a vulnerability to the shellshock problem.

It appears that the Tonido Plug IS VULNERABLE to the shellshock problem. So, the question is: When will this problem be addressed and fixed?

THANKS for place to have a discussion.

Re: Is Tonido vulnerable to Shellshock?

Posted: Fri Oct 10, 2014 10:55 am
by madhan
TonidoPlug since it runs the older version of bash is vulnerable to shellshock but again unless you have multi-user accounts and other CGI-BIN access setup from a webserver it is not exploitable.


Tonido Desktop on other platforms is not vulnerable.