Is Shellshock (bash) in FreeNAS or not?

Status
Not open for further replies.
B

Bostjan

Contributor
Joined
Mar 24, 2014
Messages
122
FreeNAS team says that bash is not the system shell of FreeNAS or FreeBSD.
http://www.freenas.org/whats-new/2014/09/freenas-9-2-1-8-release-is-now-available.html


I didn't install bash and FreeNAS team says it is not part of FreeNAS. I'm concerned where did it come from.
When I try
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
and I get
vulnerable
this is a test

I have a FreeNAS 9.2.1.7, just CIFS and SSH services are running and Owncloud 7.0.2 is installed. I have no additional packages installed or some other services running on FreeNAS.
FreeNAS in not facing internet; SSH, CIFS and Owncloud are only accessible on LAN.


I'm not concerned about security (yes, I’ll update FreeNAS) I would like to find out where did bash come from to my FreeNAS.


I know this question is weird, so please answer it seriously.


Thanks.
 

Attachments

  • Screenshot bash.png
    Screenshot bash.png
    52 KB · Views: 438
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
It is not a weird question, but it is one that has been answered in depth several times in these forums. You should search a bit harder next time. See post no 27 here: http://forums.freenas.org/index.php?threads/its-bashs-turn-to-have-a-security-hole.23698/page-2

Bash is included in FreeNAS by default. This is entailed by the statement in the 9.2.1.8 release notes stating
“Shellshock” security vulnerability in bash (which is not the system shell FreeNAS or FreeBSD) proactively closed.
Click to expand...
If bash wasn't included then there would be nothing to close.

If you're worried about it upgrade to 9.2.1.8.
 
jgreco

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,680
Bostjan said:
FreeNAS team says that bash is not the system shell of FreeNAS or FreeBSD.
http://www.freenas.org/whats-new/2014/09/freenas-9-2-1-8-release-is-now-available.html

I didn't install bash and FreeNAS team says it is not part of FreeNAS. I'm concerned where did it come from.
Click to expand...

To answer the question a little more precisely, you've misparsed what was said. "FreeNAS team says it is not part of FreeNAS" is false. What was said is that it isn't the system shell; it is a useless appendage included for the convenience of users who can't cope with a more traditional shell. It is not a significant issue because nothing included with the system calls it in a manner that would make the system vulnerable.
 
Status
Not open for further replies.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "Is Shellshock (bash) in FreeNAS or not?"

Similar threads

DaPlumber
  • Locked
ShellShock
Replies
7
Views
3K
cyberjock
C
Rolfieo
Bash Shell Prompt change after 11.3
Replies
6
Views
3K
Da Fox
Da Fox
J
  • Locked
FreeNAS 9.2.1.8-RELEASE is now available
Replies
0
Views
6K
jkh
J
S
  • Locked
Active Directory Error when using bash shell
Replies
1
Views
3K
James
J
Amishkaz
Auto restart if no network bash script
Replies
7
Views
2K
Amishkaz
Amishkaz
Top