'Bash' Security Flaw in OS X Allows for Malicious Attacks on Devices and Services

[CyBeRino]

This arstechnica article provides a Terminal command test. According to that test, Mountain Lion is also vulnerable.

http://arstechnica.com/security/201...big-security-hole-on-anything-with-nix-in-it/

Ok, now what? What do we do, short of waiting for Apple to fix it?

OSX isn't very vulnerable to this issue by default. It doesn't use bash for many things that linux does use bash for. For instance, the dhcp client on linux will typically fire off a couple of (bash, often) shell scripts with the dhcp-supplied data. OSX doesn't do that.

So unless you did something weird like create a bash-based cgi script to be run by apache (also included), or using interesting ssh constructions, you're likely not going to have any problems.

That said: apple's next security update will likely include a patched version of bash.

 

[shawnce14]

Which "initial patch"? What the heck are you talking about? There are dozens of Linux distros (which yes, probably use the same patch to fix the problem).

And until you tell us otherwise (preferably: URL!) we have to assume that the following distros already have a (working!) patch:

The current patch that everyone is deploying doesn't fully fix the issue.

-----
Hat has become aware that the patches shipped for this issue are incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. For details on a workaround, see: https://access.redhat.com/articles/1200223
-----

 

[antonis]

"'Bash' Security Flaw in all unix and linux systems Allows for Malicious Attacks on Devices and Services"

Fixed it for you, MR. (although I see it's the apple-bashing-day today).

 

[Lictor]

The Bash vulnerability is not limited to OS X. Almost all Linux servers have Bash installed.

Oh, indeed you are right, the news made it sound like it was a problem specific to the bash version included in OSX but it also exist on other unixes. So that's a huge problem.

However, the security issue is with passing environment variables to the shell and having them execute commands. But :

• Who in is right mind would run Apache with root rights or if any more right than the minimum it needs to do its job? Seriously, this is admin 101, Apache should run as user Apache and any command run in bash through it will to. Sure, you can still do a lot of damages as user Apache, but less than as root.
• The framework and application should already sanitize user inputs, because unsanitized user inputs already lead to a bunch of attacks. If it is done correctly, suspect commands should already be removed.
• It seems that to get in that situation, you have to execute a CGI script from Apache. Seriously, this is 2014, who still uses that? Besides, using user params to build arguments to a shell script is really asking for troubles...

 

[neuropsychguy]

Not a good week for Apple at all.

Correct, more than 10 million iPhones sold is a great week!

 

[tito2020]

your installing it wrong

 

[Mr. Retrofire]

Why would Apple have included a fix in previous updates for a bug that was reported on today?

Because they have their own money for security research. I doubt that they wait for such reports in the public internet.

 

[tatonka]

Because they have their own money for security research. I doubt that they wait for such reports in the public internet.

Actually .. they do. Just like all major OS vendors do too.

Often enough security flaws are found by third party researchers or companies. Usually it is good practice to inform the vendors security team ahead of a public statement to give the vendor time to roll out a fix before the bug hits the streets.

It seems in this case, most major Linux vendors responded with a quick fix. Apple (so far) didn't. It is however not clear whether or not they where informed.
So coming back to your point. Often enough vendors can only start investigating bugs after they have been publicly discussed on the internet because they simply do not know of them before.

T.

 

[ThemePro]

I read on a non-Apple centric site, "A newly discovered security bug in a widely used piece of Linux software, known as "Bash," could pose a bigger threat to computer users than the "Heartbleed" bug that surfaced in April, cyber experts warned on Wednesday." It also notes that it affects OS X but of course Bash isn't widely used on the Mac eh. So explain in layman's terms what the actual risk is as opposed to just piling on Apple because of the issues with the new iPhones.

 

[gnasher729]

No one ever said that the open source community of programmers was perfect or that they'd catch every bug with their multitude of programmers. Guess what, they're human. Some are enthusiasts, some are paid by large companies but they're still human beings.

A bit sick of that kind of snide remarks. They always come from people who confuse "more secure" with "completely flawlessly secure". I really want to see where anyone has ever made the statement that open source code is absolutely flawless and unaffected by any security problems.

Nobody ever said? Basically whenever any security flaw is found anywhere, someone will pip in and claim that it wouldn't have happened with open source. But when a security flaw is found in open source software, then "we are just human". Of course you have both been changing the goal post (aka straw man argument).

So really, if you complain about snide comments, stop making snide comments yourself if you don't like getting them. And since I had the "pleasure" of working with OpenSSL, any snide comments are thoroughly deserved.

 

[Jsameds]

Correct, more than 10 million iPhones sold is a great week!

- iCloud hacks
- iOS 8 issues
- iOS 8.0.1 issues
- Bentgate
- HealthKit issues
- iPhone 6 RAM issues
- Free U2 Album issues
- Restricted NFC chip
- Keynote streaming issues

It's been a non-stop torrent of problems, problems and more problems.

 

[Lachhh]

Hee hee.
Nobody besides, wait, everyone over at Techbroil and MrPogson. And the people who evangelise FOSS all over the interwebs.
Nobody indeed.

 

[tatonka]

This is a bug in a very central linux/unix application and it's security implications across the internet are enormous, since most servers are using linux/unix flavored OS.

The big difference to Heartbleed is, that the attack vector is far more involved and requires users being able to run scripts on the system or at least allowing unfiltered user input in scripts run. This should limit the number of really affected system drastically.

As far as Apple is concerned. It is a shame Apple hasn't responded yet. But I am sure they will and until then, I don't see to many people (especially with their private machines) being affected of this.

T.

 

[Habakuk]

So what now?

Could some security experts please tell us what to do now (unless some OS X update appears hopefully) in one or two sentences? Switch off AirPort? Going offline? Switch off all Macs altogether? Deleting iCloud and remote deleting iPhones/iPads? Thanks in advance for any hints. I'm not an expert and all that tech stuff confuses me. How severe is the exploit? Thanks again and sorry for the ignorance (no time left for studying tech stuff right now).

I mean:
1. For military-level security (I'm not kidding)
2. For celebs (with multiple personalities) security
3. For private security of "normal users" with "average" paranoia

 

[CyBeRino]

- iCloud hacks

Last month.

- iOS 8 issues
- iOS 8.0.1 issues

Ok.

- Bentgate

Physics.

- HealthKit issues

Part of 'iOS 8 issues'.

- iPhone 6 RAM issues

Not an issue at all, just some idiots who think RAM is free.

- Free U2 Album issues

Weeks ago.

- Restricted NFC chip

Not an issue, just a business decision that not everyone agrees with.

- Keynote streaming issues

Weeks ago. (Though otherwise valid.)


So yeah, not too bad at all.

 

[Jsameds]

Last month.



Ok.



Physics.



Part of 'iOS 8 issues'.



Not an issue at all, just some idiots who think RAM is free.



Weeks ago.



Not an issue, just a business decision that not everyone agrees with.



Weeks ago. (Though otherwise valid.)


So yeah, not too bad at all.

Apple apologist alert!

 

[subsonix]

The bug is fixed. The patch is available. Apple could have rolled it out by now.

The GNU people even were so nice to backport the fixes to the ancient version Apple is using because Apple doesn't want code that's licensed with GPL v3.

http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052

The initial patch did not seem to fix the problem, which you can read about in this thread: http://seclists.org/oss-sec/2014/q3/685

Apple just has to apply the patch and provide a new bash binary through software update. Apple does not have to identify the bug, they don't have to come up with a solution, they don't have to verify the fix. Everything is done already.

Stupid politics are the only thing that prevent the release of this bugfix. Probably because they like to bundle patches so people think their software is more secure because it isn't patched that often.

I wouldn't be so quick with assumptions, this was disclosed yesterday.

Which "initial patch"? What the heck are you talking about?

The initial patch of bash of course.

 

[ThemePro]

- iCloud hacks
- iOS 8 issues
- iOS 8.0.1 issues
- Bentgate
- HealthKit issues
- iPhone 6 RAM issues
- Free U2 Album issues
- Restricted NFC chip
- Keynote streaming issues

It's been a non-stop torrent of problems, problems and more problems.

If you're going to be a certified Apple basher, you need to keep track of all the Apple badness from Mobile Me to iPhone 4 antenna gate and forward. The real question is what's the impact; probably minor since the only current issue that can't readily be fixed is the iPhone 6 plus design flaw but the same happened with the iPhone 4 - they'll end up giving out a free case for those who jam their giant phones in their skinny jeaned fat bodies.

 

[Jsameds]

If you're going to be a certified Apple basher, you need to keep track of all the Apple badness from Mobile Me to iPhone 4 antenna gate and forward. The real question is what's the impact; probably minor since the only current issue that can't readily be fixed is the iPhone 6 plus design flaw but the same happened with the iPhone 4 - they'll end up giving out a free case for those who jam their giant phones in their skinny jeaned fat bodies.

I'm not - I love Apple - but this week they've been to hell and back!

Why is everyone so desperate to cover up that fact?

 

[Lictor]

It also notes that it affects OS X but of course Bash isn't widely used on the Mac eh.

Bash is the default shell on OSX. So, it's used by all the users who use Terminal. It's also used by all the utilities and program that make use of a shell in the background.

 

[subsonix]

Bash is the default shell on OSX. So, it's used by all the users who use Terminal. It's also used by all the utilities and program that make use of a shell in the background.

While bash is the default shell, I use zsh. Then there are many scripts that defaults to #!/bin/sh as well.

In any case this seems to be an issue mostly with public facing services where environment variables can be set from remote user input afaik, not something most OS X users are doing, on the surface of things. But obviously Apple should hurry up an fix it.

 

[gnasher729]

So what now?

Could some security experts please tell us what to do now (unless some OS X update appears hopefully) in one or two sentences? Switch off AirPort? Going offline? Switch off all Macs altogether? Deleting iCloud and remote deleting iPhones/iPads? Thanks in advance for any hints. I'm not an expert and all that tech stuff confuses me. How severe is the exploit? Thanks again and sorry for the ignorance (no time left for studying tech stuff right now).

I mean:
1. For military-level security (I'm not kidding)
2. For celebs (with multiple personalities) security
3. For private security of "normal users" with "average" paranoia

Don't use MacOS X as a server which allows untrusted sources to execute bash scripts on your computer.

----------

Bash is the default shell on OSX. So, it's used by all the users who use Terminal. It's also used by all the utilities and program that make use of a shell in the background.

Which doesn't matter. You can run bash safely all you like. The problem is using MacOS X as a server, allowing untrusted computers to run bash on your Mac. As long as you don't do that, you are safe.

It's like a gun in your home. If it's not loaded, it's safe. If it's in your gun cupboard, it's safe. If you use it and you know what you are doing, it's safe (of course you can hold it against your foot and pull the trigger, but that's your choice). If you add a remote control to it and let random people on the internet control it, then it's _not_ safe.

 

[bsolar]

Physics.

I more or less agree with all your points excluding the "bendgate" one: according to the various (admittedly unscientific) tests I've seen the iPhone 6+ compared to other smartphones bends far too easily.

The smaller iPhone 6 is much more resilient which can only be in part due to its smaller size: it looks more like that the larger iPhone 6+ has a weak point near the volume buttons which the smaller iPhone 6 lacks.

 

[leman]

Which doesn't matter. You can run bash safely all you like. The problem is using MacOS X as a server, allowing untrusted computers to run bash on your Mac. As long as you don't do that, you are safe.

Its not as simple as that. An untrusted source could be using the exploit indirectly, e.g. by supplying data to a website on your server which uses a shell script.

Exploits like these show clearly that proper isolation of services are the way to go. I don't particularly care if a hacker gets access to my server, because its a VM anyway and the web server runs with quite limited privileges.

 

[bbplayer5]

- iCloud hacks
- iOS 8 issues
- iOS 8.0.1 issues
- Bentgate
- HealthKit issues
- iPhone 6 RAM issues
- Free U2 Album issues
- Restricted NFC chip
- Keynote streaming issues

It's been a non-stop torrent of problems, problems and more problems.

First world problems maybe.