Synology & “Shellshock” bash Vulnerability

Synology has released an announcement about the Shellshock vulnerability. Not all Diskstations are vulnerable and for the ones that are the Bash shell isn’t available to public users.

Synology released a statement about the “Shellshock” vulnerability.

From the statement:

A vulnerability of a commonly used UNIX command shell, Bash, has been discovered allowing unauthorized users to remotely gain control of vulnerable UNIX-like systems. A thorough investigation by Synology shows the majority of Synology NAS servers are not concerned. The design of Synology NAS operating system, DiskStation Manager (DSM), is safe by default. The bash command shell built-in in DSM is reserved for system service use (HA Manager) only and not available to public users. For preventive purpose, Synology is working on the patches addressing this bash vulnerability and to provide them as soon as possible.

Only one of my three DiskStations is on the vulnerable list (the 1511+). That particular NAS always gets updated last. It’s used for all my backups and file storage. While recovery would be possible it would take a long time. My test NAS (the 212J) isn’t on the vulnerable list so I can’t test the updated firmware. My main NAS, the DS212+, isn’t on the list either.

Since I can’t test the update I’m not applying it to my 1511+. The 1511+ isn’t accessible from the internet, it isn’t even set up for quick connect, and my router wouldn’t send any Internet traffic to it. So the risk to me seems nearly non-existent and the risk of problems is higher than normal. I’ll wait until others beat on the update for awhile and apply it sometime in the future, maybe just the next update. As I write this the update for the DS1511+ isn’t available from the download center or through automatic update.

Security: DLL Search order Vulnerability

This is a little old, reported about a month ago, but I’m just getting around to patching it and Microsoft isn’t. The “Insecure Library Loading Could Allow Remote Code Execution” vulnerability was announced by Microsoft back in late August in bulletin 2269637. Unfortunately Microsoft has not rolled out a patch with their normal patch rollouts. Probably because of the potential to break apps. They did publishknowledge base article 2264107 which has a workaround to the problem.

This vulenrability is a little old, reported about a month ago, but I’m just getting around to patching it and Microsoft isn’t. The “Insecure Library Loading Could Allow Remote Code Execution” vulnerability was announced by Microsoft back in late August in bulletin 2269637.  Unfortunately Microsoft has not rolled out a patch with their normal patch rollouts. Probably because of the potential to break apps. They did publish knowledge base article 2264107 which has a workaround to the problem.

In short, because the working directory is included in a DLL search path and could be a remote directory it was possible for an attacker to compromise a system with a remote DLL. Applications could avoid this by not relying on the default search order.

I ran through the steps and haven’t had an issue. Since I don’t expect any of my applications to run a remote DLL (WebDAV or SMB file share) I’m not expecting any problems. I’ve installed the patch and changed the settings on Windows 7 64-bit only, but the patch is available for other OS’s and the process seems the same for them.

To patch the PC:

  1. Download and install the appropriate OS patch from the KB article. I needed to reboot and I suspect the other OS’s will also need a reboot.
  2. The patch doesn’t change anything, it just enabled the use of the registry keys described in the article. You can create the registry key(s) manually or do like I did, and click the “Fix It” link in the article.
  3. The Fix It link creates the global registry key with a value of “2” which prevents searching the working directory for DLLs in the location is WebDAV or SMB (remote).

The working directory isn’t the directory the application is installed in (I suppose it can be, but that would be coincidence). This patch also affects the search order (based on the article) so if the app is installed remotely, and properly written to not rely on the remote working directory for a DLL, I would expect the app to continue to work. But, I don’t have any remotely installed apps to test this out.

This is the first time I tried one of those “Fix It” links. It’s a little scary but worked well. I’ll post an update if I have any app issues, but so far so good.

Microsoft Security Updates for July 2008

Padlock graphicMicrosoft has released four security bulletins for July 2008, two of which are for desktops.

MS08-038 addresses a vulnerability in Windows Explorer and is for Windows Vista and carries an “important” rating. The update includes the original Vista, Vista SP1 and Vista x64.

MS08-037 addresses a vulnerability in DNS and is for Windows 2000 SP4, Windows XP SP2 & SP3, and Windows XP x64 original release & SP2. it’s rated as “important”. [Updated: This patch is part of a coordinated, multi-vendor DNS patch.]

These patches, and the others, also affect server OS’s. There’s no Internet Explorer update this month.

Also, Microsoft will begin rolling out an update to Windows Update later this month. Last time they did this they catch grief for updating PCs that were set to “do not update”. This time around they’ll be doing things differently and won’t update PCs set to not update.

Safari 3.1.1 Released

Safari LogoApple has released Safari 3.1.1 for both OS X and Windows. I installed it on my two Leopard Macs without a problem through Apple’s Software Update and a reboot was required. It’s also available as a standalone download.

The update includes four security fixes (two are Windows only). One of the patches plugs the vulnerability that won the PWN to OWN contest at CanSecWest.

There’s also the standard

…improvements to stability, compatibility…

The reboot displayed a blank blue screen for a nerve-racking length of time but was otherwise uneventful.

[Updated April 17th:] Well, I may have spoken too soon. My iMac was stable until the first reboot after the patch. At that point it wouldn’t finish loading and would lock up shortly after logon. Starting in Safe Boot mode would allow the logon but instability would ensue after running an app or two. The update itself doesn’t seem to be the problem as a new user profile runs Safari and other apps just fine. Also, my MacBook is running fine.

Microsoft Security Bulletins for April 2008

Another "Super Tuesday" patched this week but I just got around to firing up my Windows VM’s today (actually it’s been about 12 days since I’ve been in Windows). There were ten updates waiting for me on Windows Vista and eight on Windows XP Home, although not all were security related.

This month’s updates included:

KB945553 (MS08-020) – Vulnerability in DNS client could allow spoofing. This is rated as "Important" for all supported desktop OS’s except Windows Vista SP1, which doesn’t need the update.

KB948590 (MS08-021) – Vulnerability in GDI could allow remote code execution. This is rated as "Critical" for all supported desktop OS’s.

KB944338 (MS08-022) – Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution. This is rated as "Critical" for all desktop OS’s except Windows Vista, which doesn’t need the update.

KB948881 (MS08-023) – Critical security update for ActiveX killbits. This is required for all supported desktop OS’s, although the severity ranges from "Important" to "Critical".

KB947864 (MS08-024) – Cumulative security update for Internet Explorer. As expected, all supported versions of IE get the update and all are rated "Critical".

KB941693 (MS08-025) – Vulnerability in Windows Kernel could allow elevation of privileges. This one has an "Important" rating for all supported desktop OS’s.

There were also some security patched for applications. MS08-018 patches a Project vulnerability while MS08-019 patches a vulnerability in Visio. I don’t run either Project or Visio so I didn’t install the updates.

The Malicious Software Removal Tool, Junk Email Filter update (Vista only, in my case at least) and Windows Defender definition updates were also included.

I also received KB938371 (on my Vista SP1 vm) which is an updated needed to add or remove Vista SP1. Since I received Vista SP1 successfully I already had some of the components. According to the bulletin Vista SP1 install "will only install the new components in this rereleased update."

Non-security related patches included an update to Live Writer and a optional Group Policy patch. For some reason my Windows XP Home installation also received .NET 2.0 SP1 although it appears that it was released back in December and I installed the base .NET 2.0 in early January, two patch Tuesday’s ago.

As expected, a reboot was required. So far I haven’t encountered an differences or problems since applying the updates. A subset of these updates also installed on my Windows Home Server and I covered the WHS March Updates here.