Re: Don’t Panic

#53467

gordonf
Member

First off, I hate fearmongers. And Symantec makes its money by spreading fear. So let’s get my strong bias out in the open.

Now let’s see how a bash exploiter can exploit ZS:

* From the internet: The ZS UI by default restricts access to its web UI to private IP ranges. If you’re foolish enough to override this default, there’s the next problem:

* The admin credentials: To even see the UI CGI you need the admin password. If you have teenage kids behind your ZS router, you likely have a better password than ‘password.’ I hope.

* Malware on the inside network: That’s assuming you administer ZS from an infected PC; if so, you have worse problems than malware exploiting your router. And I have a whole web series on preventing unwanted software, at least on Windows clients.

* Captive Portal or optional Squid Proxy: Isn’t this built with hostile clients in mind? There are a handful of examples of blocking inbound SQL exploits that could apply to a Squid running on ZS that’s caching outbound requests; block bash escape sequences like one would block SQL ones.

If you’re a ZS admin who’s really worried about this until Fulvio releases a fix, make sure the web UI is restricted to NICs and IP ranges you trust, and pick a strong admin password. If you use captive portal, add some URL filtering and you might even catch your own users exploiting outside hosts.

Above all, don’t panic.