Earlier this month a bug was discovered that allowed remote execution of code through bash. Earlier this week it started popping up on security mailing lists and Redhat had posted a patch to update their distro’s of Linux which is when we started testing internally. The largest concern is for public facing servers that host CGI/bash scripts. Those types of scripts are not too common. The bugs are CVE-2014-6271 and CVE-2014-7169. More commonly referred to as “Shellshock”.
It was becoming apparent that this bug was wide spread and did indeed affect OS X. In some respects the risk is low, however the ability for it to be high is there due to the amount of machines with bash and the various attack vectors.
Apple has yet to issue a patch. We are hopeful that it will come soon. The patch involves updating two files (/bin/bash and /bin/sh). There are patches available, and with the source code from Apple it is possible to compile these two files yourself.
September 25th, Twitter was full of patches to 3.2.52 that protected against CVE-2014-6271, but not CVE-2014-7169. We felt that it was best to wait for a patch for both. The morning of September 26th we tested a patch that upgraded bash to 3.2.53 and protected against both bugs. We compiled the version and placed them inside an installer that copies the old files and makes them non-executable before placing the new files in the /bin directory. This patch is tested and should work on OS X 10.8, 10.9 and 10.10. It will break OS X 10.7 or earlier. An update from Apple should write over our two files without issues. Just in case, it is easy to reverse by copying the old files back and making them executable. We have also written an uninstall script.
Customers can choose to update using this script if they are running OS X 10.8 and newer and do not wish to wait for Apple. We are not saying that it’s necessary to install this patch, but we wouldn’t recommend leaving these vulnerabilities unchecked for too long. We can only support our customers who install this patch. All others: test and install with caution.
Click for 10.8-10.9 patch download
(Patch removed from github)
NEW: Patch for Snow Leopard (OS X 10.6)
UPDATE 2014-09-29 at 11:35 AM CDT (GMT -5:00): There is an upstream patch for version 3.2.54. We are currently testing this patch. There are also (4) new CVE’s that are being released. It seems as more eyes are on bash that there is a much needed race to find more bugs. Hopefully the dust will settle soon and there will be an official patched version that protects against all recently found vulnerabilities. If Apple does not have a software update ready at that time we’ll update our installer package for easy distribution. Our patch installer also has an uninstaller script. It’s been reported that Apple may not be shipping newer versions of bash due to licensing (latest versions of bash are released under GPLv3). Apple has not shipped software that has been released under GPLv3 which has provisions regarding patent lawsuits and hardware lockdown. Also, Wired put together a great history on bash.
Yet to be released vulnerabilities:
– CVE-2014-7186
– CVE-2014-7187
– CVE-2014-6277
– CVE-2014-6278
UPDATE 2014-09-29 at 5:00 PM CDT (GMT -5:00): Apple has released a “1.0” patch for bash. The Apple patch updates bash to 5.3.23, although they have made additional changes without using the upstream 3.2.54 patch. Apple’s patch also places a new profile and bashrc file in /private/etc as well as updated man files/documentation. Oddly there is a new file is also placed in /usr/bin/ named bashbug.
– Mavericks Bash 1.0 patch
– Mountain Lion Bash 1.0 patch
– Lion Bash 1.0 Patch
Apple’s security-announce message:
APPLE-SA-2014-09-29-1 OS X bash Update 1.0
OS X bash Update 1.0 is now available and addresses the following:
Bash
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5,
OS X Mavericks v10.9.5
Impact: In certain configurations, a remote attacker may be able to execute arbitrary
shell commands
Description: An issue existed in Bash’s parsing of environment variables. This issue was
addressed through improved environment variable parsing by better detecting the end of
the function statement.
This update also incorporated the suggested CVE-2014-7169 change, which resets the
parser state.
In addition, this update added a new namespace for exported functions by creating a
function decorator to prevent unintended header passthrough to Bash. The names of all
environment variables that introduce function definitions are required to have a
prefix “__BASH_FUNC<” and suffix “>()” to prevent unintended function passing via
HTTP headers.
CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis OrmandyOS X bash Update 1.0 may be obtained from the following webpages:
http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X MavericksTo check that bash has been updated:
* Open Terminal
* Execute this command:
bash –version
* The version after applying this update will be:
OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
UPDATE 2014-09-30 at 2:00 PM CDT (GMT -5:00): Apple’s patch does not protect against all known vulnerabilities. They also did not release a patch for OS X 10.6, which quite a few of our customers still run. We compiled a patch for OS X 10.6.8 that also disables the auto-import function, which should remove most (if not all) risk of an exploit.
NEW: Patch for Snow Leopard (OS X 10.6)
UPDATE 2014-10-06 at 10:00 AM CDT (GMT -5:00): It looks like we’re nearing the end of patching bash. CVE-2014-6278 sounds like it’s one of the (if not the) last discovered vulnerability. The most current version for 3.2 is now 3.2.57. Chet (the developer maintaining bash since the late 80’s) posted to twitter calling it the final fix for shellshock. Apple should release an follow-up update with these latest patches. While their 1.0 update fixes most of the vulnerabilities it does not fix them all. Compiling bash to 3.2.57 – or using a patch that disables auto-import of functions would be the most secure at this point.
#bash patches fixing CVE-2014-6278 for bash-2.05b through bash-4.3 available on http://t.co/AxzZ9P6UV0 and bug-bash. Final #shellshock fix
— Chet Ramey (@chetramey) October 5, 2014