Security Advisory: Shellshock Exploit
Security Advisory: Shellshock / Linux 'Bash' Vulnerability
In September 2014, news broke of a vulnerability in the 'Bash' command line interface (CLI), commonly referred to as a shell, which has been named 'Shellshock'. This vulnerability is also known by the identifications CVE-2014-6271 or VU#252743 and related CVE-2014-7169 for Redhat Linux.
The 'Bash' shell is used by many Internet servers and also hardware products which are based on Linux, including MacOS (Apple desktop computers and laptops). The bash CLI is widely used, and many vendors use common builds and code libraries, as well as the same OEMs so the vulnerability may affect many different vendor's products (different brands). You should check each of your hardware products (routers, servers, other Linux-embedded systems etc.) and patch where appropriate. Note that DrayOS, the operating system used for most DrayTek products is proprietary, not Linux based and using exclusively our own developed code, not shared by other vendors.
We can confirm that no DrayTek hardware products are affected by Shellshock or use the affected code, libraries or functions.
The above statement covers all DrayTek hardware products ('Vigor' series products), including all routers, wireless access points and switches. The above statement also covers/includes the public servers providing the following web sites: draytek.com, draytek.co.uk, draytel.org, seg.co.uk and includes all sub-domains of those web sites such as forum.draytek.co.uk or myvigor.draytek.com.
None of these aforementioned products or sites use the vulnerable code or libraries and are therefore considered 'safe' in this respect. It is not necesary to take any action on any of these products, services or accounts in respect of Shellshock.
Advice Regarding other Services / Products (non-DrayTek)
You should check equivalent statements/advisories from the providers of all of your other networking hardware vendors, servers, PCs, web service providers and ISPs and then follow the advice of each of them regarding any necessary precautions or updates. For more technical details of Shellshock, visit CERT UK (External site; outside the responsibility of DrayTek).
Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to asssess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.