iXsystems Products Not Vulnerable to Shellshock-related Exploits
Over the past few weeks, the Open Source Software community has been dealing with the fallout from the discovery of a significant vulnerability in the GNU Bash shell used by default in many Linux-based operating systems. iXsystems products are based on FreeBSD, not Linux. Like FreeBSD, our software does not use Bash by default. Most of the “Shellshock” vulnerabilities result from programs that pass external input directly to Bash. While iXsystems software does include Bash as a user shell option, Bash is never the system shell by default and thus our software is not vulnerable to the exploits currently being seen in the wild.
To preemptively address any potential vulnerability of which iXsystems is not aware, we have issued updates to TrueNAS, FreeNAS, and PC-BSD that disable the functionality of Bash which is vulnerable to exploitation. These updates are available as TrueNAS 184.108.40.206, FreeNAS 220.127.116.11, and a package update to Bash for PC-BSD. TrueNAS clients should contact their support representative for assistance updating if needed. FreeNAS users can obtain the latest update from FreeNAS.org/Download as usual. Updates for PC-BSD are available within the operating system at the Update Manager.