So a major security problem is out there with Bash variables… Cloud services are patching and rebooting EVERYTHING tonight. *ix is vulnerable.. IS MT? does the web interface execute bash?
Can I get some karma?
+1 to the question.
It would seem RoS is not vuln, but would like official word from 'Tik.
Very interested here as well.
Lots of patching going on…
As RouterOS does NOT use bash, no patching is required from our side.
This is also true for older versions? 2.9.x, etc.
@krisjanis
So, you’re saying that BASH doesn’t exit in any form, visible or not, accessible to the user or not on RouterOS?
What do you use for a shell for underlying work and control? [ROS is obviously a *nix variant, and underneath it almost certainly has some kind of shell - so it’s a little hard to take such a blanket dismissal.]
+1 for gsloop’s remarks.
We could do with some more detail - does bash exist at all on any version?
Embedded systems (and ROS is an embedded system) usually use BusyBox, which does contain Bourne shell compatible shell implementation, which, as far as I know, has no relation to bash. Another popular alternative to bash is zsh. BSD systems have their own implementation of Bourne shell compatible shells. Also there are lots of different popular types of shell exists on Unix-like systems (ksh, csh, tcsh just to name a few). So while bash is the most widely used shell nowadays due to being the default shell on a vast majority of Linux distros, it is far from being the best nor the only available option.
@ andriys
Sure it could be CShell or anything else. But a “it could be” isn’t an answer.
I need a definitive answer. Is BASH on ROS in any form, even if it’s not accessible or visible to the user?
There have been lots of answers from lots of people saying… “Oh, our product X, it isn’t vulnerable because blah, blah, blah.”
But then come to find out, it IS vulnerable - with a little poking and prodding and a tweak here and there.
So, if ROS has BASH anywhere on it, we should be notified and IMO, I’ll be pretty skeptical about claims ROS is immune, at least until it’s patched adequately.
As long as I’m at it, Mikrotik seriously needs a security announce mailing list. One shouldn’t have to troll the forum to find out about security announcements/patches etc.
-Greg
ash shell.
Any Mikrotik package contains custom SquashFS image, prefixed with a header of 4K bytes. I was not able to mount or extract any of these images using standard squashfs tools, but it’s still possible to extract and examine the contents of Mikrotik images using a recent version of 7-Zip.
RouterOS does contain shell- the ash shell from BusyBox package. It also contains /bin/bash, but it is just a symlink to ash, not a real bash binary.
Thanks, I think.
Lets assume you’re right. That’s all nice, I suppose.
However, should it be this hard to get a definitive answer from Mikrotik? I could probably disassemble the machine code and make sure BASH isn’t in there too, but can anyone imagine having to do that with any responsible vendor, simply to get an answer about one of the biggest vulnerabilities in *nix in years?
It doesn’t seem too much to ask, to expect a vendor to do more than just give the barest minimum of information; to refuse to follow-up on the discussion and fill in the gaps; but instead, say nothing, and rely on an informal community response for a definitive response!?!? [To a potential vulnerability that got a CVE risk score of 10, no less!.]
Giving, essentially, a terse “NO!” answer to questions about the shellshock/BASH vulnerability seems both rude and irresponsible to me. Compare this ['Tik’s discussion or lack thereof] to the discussion about it at UBNT, and the very robust discussion about it there even though they’re quite sure they are not vulnerable.
Given a choice between the two ways of dealing with customers, I can certainly tell you which product I’m likely to recommend and use, and it’s not the terse/hostile vendor.
-Greg
There was a definitive answer from Mikrotik - see the 4th message in this thread above. krisjanis clearly said that “RouterOS does NOT use bash”. You were wondering what kind of Unix shell is in use in RouterOS, and I kindly did a little research for you. I really do not understand what this noise is all about.
There were questions about different versions, about whether BASH was simply not user-accessible, but still in the underlying system etc.
Perhaps you’re perfectly fine with inadequate information, simply trusting that the blanket statement given covers all possibilities, but I’m not. You’re welcome to paint those of us who want more detail, as loonies who are swooning about it needlessly, but when a security device is involved, and the risk is so comprehensive and total, then some additional details seem more than reasonable to expect.
-Greg
Hmmm, I’m curious as to what information you are digging for beyond “No bash”. Seems like a problem that isn’t a problem if bash isn’t there. I think you are diminishing your karma by flogging a dead horse, publicly. Maybe you wanted a statement from the CEO? A guarantee? Not going to get it for the price point that they sell RouterOS for. If you are that worried about security, you shouldn’t be putting a piece of software from a foreign country in your network and you should compile all OS’s from the available source after doing a through diff to the source trees. 
If you are that worried about security, you shouldn’t be putting a piece of software from a foreign country in your network
You know, you’re right. That’s why I’m moving my installed base over to Ubiquiti’s Edge Router. [How about that?]
And, for the same or better price-point, I do get answers to questions like this from them. So, your bombast that “it couldn’t possibly be affordable to give detailed answers…” seems a bit off target. I posted the same question on their forum and the difference in response is pretty stark. [To be honest, one would hope that devices from foreign countries shouldn’t worry one that much - one would hope that the integrity of the company would be enough…]
And Karma? That’s fine - it’s meant to burn. If asking for substantial clarification burns karma, so be it. You’re not going to shame me into conformance.
But unfortunately, I still have some Mikrotik devices out there, and on several different versions - so the level of detail we’ve gotten here is, IMO, still inadequate.
It’s funny how when one asks for better, the usual response here is: [given in a huffy manner] “If you don’t like the abuse we give, then too effen bad. Don’t let the door hit you in the backside on your way out!” Sheesh.
HAND
-Greg
Please note that UBNT s/w is developed in the same country as MT
As I said, one would hope the integrity of the company would suffice.
All that said - Debian and Vyatta don’t appear to be developed primarily in Latvia. [Never mind that UBNT [as I understand it] forked Vyatta and while the base is Vyatta, there are modifications of their own.]
Got some sources?
Sources of code or sources of development location? For development location look at the ubiquiti forums and who responds to development questions
https://www.linkedin.com/in/edmundasbajorinas Lithiania
I’m not going to get into an argument about this - but having a single developer, vs the entire company seem, to me at least, to not be at all equivalent. Not even remotely.
I guess each person will have to make their own call. I just know my calculus is vastly different than what you’re implying.
[Frankly, given how out of control the US Government is, in terms of spying-overreach, one might even make the case that development on the US mainland vs somewhere with less government interference would be better. (But, IMO, Latvia would be far worse by those criteria.)]
-Greg