Forums › Forums › iLive Forums › iLive general discussions › Shellshock Bash vulnerabilities
Tagged: Shellshock Bash vulnerabilities
- This topic has 7 replies, 5 voices, and was last updated 10 years, 1 month ago by SteffenR.
-
AuthorPosts
-
2014/10/29 at 3:16 pm #42557AnonymousInactive
Hi Guys
I service a iLive system that is a part of a hotels conference services.
The hotels IT department noticed that the iLive OS is Linux based and since they are reviewing the hotels IT security setup they asked for a review of if and how the iLive might be vulnerable to the Shellshock Bash Bug that can now affect Linux IT systems.
Although I know that we do not need to fear that bug affecting iLive I am now looking for a quotable informative answer for the IT records… My “trust me, itยดs Ok” just doesn’t cut it ๐Anyone able to help me out?
2014/10/31 at 1:00 am #42595tylermartin86ParticipantAfter some research, it seems like the iLive will not be vulnerable to the Shellshock bug.
Regardless, it is mostly a “best practices” thing to not have your sound network connected to the internet. There is no reason for it. You should have separate wires and wireless router for your iLive network.
2014/10/31 at 1:40 am #42597GCumbeeParticipantTyler is right. It should not have been or still be online. No reason to be.
2014/10/31 at 9:54 am #42602AnonymousInactiveTrue.
I would not expose the system to the internet. We however have it set up on a separate IP network dedicated for equipment control and monitoring. There we have stuff like audio DSP, AMX control systems, video matrix switcher, IPTV and various other gizmos. I can not guaranty that some of the In house staff have not brought something on a USB stick to one of the many computers on that network. That possibility is what raised the red flag…2014/11/02 at 7:39 pm #42631SteffenRParticipantcom on guys, Jakob needs a real answer
I guess you have to ask direct in the software department,
maybe Nicola could forward this if you send him a personal message.2014/11/02 at 8:26 pm #42635tylermartin86ParticipantI thought my answer was a real answer… But steffen is right. The only true way to be 100% sure of this is to talk to the software department.
But from my research, the Shellshock bug needs an attacker, not just a USB stick.
I would still very highly recommend putting the iLive on its own separate network. You wouldn’t want more traffic on the iLive network than you need. If the traffic on the network becomes too much, it may start slowing down the iLive traffic. It all depends on what the router sees as more important.
2014/11/03 at 11:06 am #42651Nicola A&HKeymasterThis is what I got from our Software team, hope it helps.
iLive and GLD aren’t running any of the typical exploitation vectors for shellshock. The SSH Server is disabled in normal operation, there is no web server installed, likewise no DHCP or mail server.
The only TCP port we open for rendezvous is within our firmware control and not bash based.
The virtual consoles are all password protected.
We believe this makes an attack very unlikely.
2014/11/03 at 4:13 pm #42656SteffenRParticipantThat’s an answer… ๐
-
AuthorPosts
- You must be logged in to reply to this topic.