So a major security problem is out there with Bash variables... Cloud services are patching and rebooting EVERYTHING tonight. *ix is vulnerable.. IS MT? does the web interface execute bash?

http://gadgets.ndtv.com/laptops/news/ba ... rts-597572

Can I get some karma?

+1 to the question.

It would seem RoS is not vuln, but would like *official* word from 'Tik.

Very interested here as well.
Lots of patching going on...

As RouterOS does NOT use bash, no patching is required from our side.

As RouterOS does NOT use bash, no patching is required from our side.

This is also true for older versions? 2.9.x, etc.

@krisjanis
So, you're saying that BASH doesn't exit in any form, visible or not, accessible to the user or not on RouterOS?

What do you use for a shell for underlying work and control? [ROS is obviously a *nix variant, and underneath it almost certainly has some kind of shell - so it's a little hard to take such a blanket dismissal.]

+1 for gsloop's remarks.

We could do with some more detail - does bash exist at all on any version?

What do you use for a shell for underlying work and control? [ROS is obviously a *nix variant, and underneath it almost certainly has some kind of shell - so it's a little hard to take such a blanket dismissal.]

Embedded systems (and ROS is an embedded system) usually use BusyBox, which does contain Bourne shell compatible shell implementation, which, as far as I know, has no relation to bash. Another popular alternative to bash is zsh. BSD systems have their own implementation of Bourne shell compatible shells. Also there are lots of different popular types of shell exists on Unix-like systems (ksh, csh, tcsh just to name a few). So while bash is the most widely used shell nowadays due to being the default shell on a vast majority of Linux distros, it is far from being the best nor the only available option.

@ andriys

Sure it could be CShell or anything else. But a "*it could be*" isn't an answer.

I need a definitive answer. Is BASH on ROS in any form, even if it's not accessible or visible to the user?
There have been lots of answers from lots of people saying... "Oh, our product X, it isn't vulnerable because blah, blah, blah."
But then come to find out, it IS vulnerable - with a little poking and prodding and a tweak here and there.

So, if ROS has BASH anywhere on it, we should be notified and IMO, I'll be pretty skeptical about claims ROS is immune, at least until it's patched adequately.

As long as I'm at it, Mikrotik seriously needs a security announce mailing list. One shouldn't have to troll the forum to find out about security announcements/patches etc.

-Greg

ash shell.

@ andriys

Sure it could be CShell or anything else. But a "*it could be*" isn't an answer.

Any Mikrotik package contains custom SquashFS image, prefixed with a header of 4K bytes. I was not able to mount or extract any of these images using standard squashfs tools, but it's still possible to extract and examine the contents of Mikrotik images using a recent version of 7-Zip.

RouterOS does contain shell- the ash shell from BusyBox package. It also contains /bin/bash, but it is just a symlink to ash, not a real bash binary.

@andriys

Thanks, I think.

Lets assume you're right. That's all nice, I suppose.

However, should it be this hard to get a definitive answer from Mikrotik? I could probably disassemble the machine code and make sure BASH isn't in there too, but can anyone imagine having to do that with any responsible vendor, simply to get an answer about one of the biggest vulnerabilities in *nix in years?

It doesn't seem too much to ask, to expect a vendor to do more than just give the barest minimum of information; to refuse to follow-up on the discussion and fill in the gaps; but instead, say nothing, and rely on an informal community response for a definitive response!?!? [To a potential vulnerability that got a CVE risk score of 10, no less!.]

Giving, essentially, a terse "NO!" answer to questions about the shellshock/BASH vulnerability seems both rude and irresponsible to me. Compare this ['Tik's discussion or lack thereof] to the discussion about it at UBNT, and the very robust discussion about it there even though they're quite sure they are not vulnerable.

Given a choice between the two ways of dealing with customers, I can certainly tell you which product I'm likely to recommend and use, and it's not the terse/hostile vendor.

-Greg

However, should it be this hard to get a definitive answer from Mikrotik?

There was a definitive answer from Mikrotik - see the 4th message in this thread above. krisjanis clearly said that "RouterOS does NOT use bash". You were wondering what kind of Unix shell is in use in RouterOS, and I kindly did a little research for you. I really do not understand what this noise is all about.

There were questions about different versions, about whether BASH was simply not user-accessible, but still in the underlying system etc.

Perhaps you're perfectly fine with inadequate information, simply trusting that the blanket statement given covers all possibilities, but I'm not. You're welcome to paint those of us who want more detail, as loonies who are swooning about it needlessly, but when a *security* device is involved, and the risk is so comprehensive and total, then some additional details seem more than reasonable to expect.

-Greg

Hmmm, I'm curious as to what information you are digging for beyond "No bash". Seems like a problem that isn't a problem if bash isn't there. I think you are diminishing your karma by flogging a dead horse, publicly. Maybe you wanted a statement from the CEO? A guarantee? Not going to get it for the price point that they sell RouterOS for. If you are that worried about security, you shouldn't be putting a piece of software from a foreign country in your network and you should compile all OS's from the available source after doing a through diff to the source trees.

@avantwireless

If you are that worried about security, you shouldn't be putting a piece of software from a foreign country in your network

You know, you're right. That's why I'm moving my installed base over to Ubiquiti's Edge Router. [How about that?]

And, for the same or better price-point, I do get answers to questions like this from them. So, your bombast that "it couldn't possibly be affordable to give detailed answers..." seems a bit off target. I posted the same question on their forum and the difference in response is pretty stark. [To be honest, one would hope that devices from foreign countries shouldn't worry one that much - one would hope that the integrity of the company would be enough...]

And Karma? That's fine - it's meant to burn. If asking for substantial clarification burns karma, so be it. You're not going to shame me into conformance.

But unfortunately, I still have some Mikrotik devices out there, and on several different versions - so the level of detail we've gotten here is, IMO, still inadequate.

It's funny how when one asks for better, the usual response here is: [given in a huffy manner] "If you don't like the abuse we give, then too effen bad. Don't let the door hit you in the backside on your way out!" Sheesh.

HAND
-Greg

Please note that UBNT s/w is developed in the same country as MT

As I said, one would hope the integrity of the company would suffice.

All that said - Debian and Vyatta don't appear to be developed primarily in Latvia. [Never mind that UBNT [as I understand it] forked Vyatta and while the base is Vyatta, there are modifications of their own.]

Got some sources?

Sources of code or sources of development location? For development location look at the ubiquiti forums and who responds to development questions


https://www.linkedin.com/in/edmundasbajorinas Lithiania

I'm not going to get into an argument about this - but having a single developer, vs the entire company seem, to me at least, to not be at all equivalent. Not even remotely.

I guess each person will have to make their own call. I just know my calculus is vastly different than what you're implying.
[Frankly, given how out of control the US Government is, in terms of spying-overreach, one might even make the case that development on the US mainland vs somewhere with less government interference would be better. (But, IMO, Latvia would be far worse by those criteria.)]

-Greg

I guess I should have mentioned that I used to work for Ubiquiti... Yes the majority of their software development was done in Lithuania, not one person. I cannot say if that is true today, but I cannot see a reason that they would have migrated it to the US when the team over there was a great bunch. As is the MT crowd. You are the one that doesn't trust MT but has no problem trusting UBNT. But one is a private company and one is a public company. As such the images they project usually are vastly different. But this isn't about the bash exploit anymore but about you. Nobody else is chiming in and I in no way represent either of the above mention companies anymore. IF you find a way to exploit the bash bug on any of your soon to be none MT gear, post it and prove all of the above posts wrong... Otherwise.... have a good day...

You've created such a total straw-man argument, it's farcical.

I'd be glad to trust Mikrotik, provided they acted in a trust-worthy manner. As I've said - I'd like something better than the terse explanation that

As RouterOS does NOT use bash, no patching is required from our side.

So, does that mean:
The portions of RouterOS you work with don't have BASH, so everything is good. We know, for example, that you don't need access to bash directly to exploit the vulnerability. So, some clarification here would be really quite nice.

Does this mean that the given statement applies to every version of ROS, or just version 6?

The statement given could easily have many different meanings. [see how creatively the NSA "denies" all sorts of things for a lesson in misdirection] Asking for clarification isn't "not trusting" - but simply asking for more data so I can evaluate it.

Further, the "mistrust" you give comes from your post, not mine. [Yet, I'm the one who is unwilling to trust MT?]

I'll simply restate what I've asked for from the beginning, and what I DO get from UBNT [Without a lot of teeth pulling either.]; A comprehensive answer from someone who is authorized to represent the company.

Does BASH exist in any form in any version of ROS? If yes, then please detail what versions and how it's involved so users can determine their exposure. [As this thread has gone on now, without any additional details from MT, for nearly two weeks now, I'm not holding my breath.]

Before just flaming around about an clear answer which states NO, I would remind you of something stated on the first page of this forum:
Have you sent a mail to support to ask this?

PS: don't forget to ask if any older version uses apache2 as its web server and mysql to manage route lists, or if there is a hidden open office somewhere inside because there is an editor there...
Why the heck would someone put a 900k shell executable in there, if a 50k one would do the needed job?

Yes, BASH does not exist in RouterOS in any form, visible or otherwise. RouterOS is in no way affected with this thing.

Bash != ash

I have worked with ash and busybox. In fact, I just tested the shellshock vulnerability today per https://shellshocker.net/ which is a site that provides info about this issue. It also provides info about how to test for the vulnerability. Ash didn't test positive for any vulnerability associated with shellshock. This is purely a bash bug and bash is not ash!