

Ask HN: What are the odds for shellshock exploits in 3G radio networks via RF? - DyslexicAtheist

assuming (actually I know) lot of the radio network controllers (RNC) and 4G eNodeB which receive the signal from the tower using bash, so what are the odds of injecting code into the network leading to remote execution with shellshock?
======
iSloth
I'd say very slim - The boards within eNodeB/NodeB's that process RF traffic
typically do not run a Linux base on them (in my experience) FPGA's and
dedicated ASICS are far more likely. You'll typically find it's only the
controller board within your base station that as a Linux OS running within,
user plane traffic at this point is just traversing the board as normal IP
traffic so no interactions with bash are required, there is some signalling
plane traffic (mainly LTE) however the majority of that is within the NAS
which is eNodeB transparent.

I'd guess the biggest concern would be the MME's processing of signalling
messages, as basically all the boards within these systems will generally be
Suse/RedHat based. However again there's going to be a very slim chance of
bash injection, most of signalling modules are C++ based and don't have a
requirement for bash, and even if they did implement bash for some unknown
reason there is masses of validation applied to the signalling variables
leaving very little room for an injection payload.

