How do we patch bash in OSX?

Status
Not open for further replies.

bradl

macrumors 601
Jun 16, 2008
4,029
11,945
Horrible bash code injection vulnerability CVE-2014-6271:

http://seclists.org/oss-sec/2014/q3/650

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

It's pretty serious. Any clues on how to patch bash in OSX?
GNU released patches to the bash source code to fix this. So this would require a recompile of bash to fix it.

So it all depends on where your copy of bash is coming from. If it came from somewhere like Macports, they would have to update it there for you to pull down the new version.

Natively, XCode could be used to roll your own update to it, otherwise, Apple would have to come out with the patched version for it. So until they do, you're going to be vulnerable.

HOWEVER...

For that vulnerability to be exploited, you have to have bash exposed in one of a couple of ways:
  • through Apache (if running it) and have mod_cgi enabled, or
  • through some interactive login service (telnet, rsh, ssh, etc.).

The latter is probably more open than the former. So you would need to be sure that you have either those services turned off, or locked down to where only authenticated users have access to your Mac. So have a good look at your firewall rules first (either on your local Mac or your network), and make sure only authenticated users can get to your machine. Otherwise, turn off remote accessibility, and wait for Apple to put out the patched version.

Only then could you say that you are safe from this bug.

BL.
 

556fmjoe

macrumors 68000
Apr 19, 2014
1,910
1,603
GNU released patches to the bash source code to fix this. So this would require a recompile of bash to fix it.

So it all depends on where your copy of bash is coming from. If it came from somewhere like Macports, they would have to update it there for you to pull down the new version.

Natively, XCode could be used to roll your own update to it, otherwise, Apple would have to come out with the patched version for it. So until they do, you're going to be vulnerable.

HOWEVER...

For that vulnerability to be exploited, you have to have bash exposed in one of a couple of ways:
  • through Apache (if running it) and have mod_cgi enabled, or
  • through some interactive login service (telnet, rsh, ssh, etc.).

The latter is probably more open than the former. So you would need to be sure that you have either those services turned off, or locked down to where only authenticated users have access to your Mac. So have a good look at your firewall rules first (either on your local Mac or your network), and make sure only authenticated users can get to your machine. Otherwise, turn off remote accessibility, and wait for Apple to put out the patched version.

Only then could you say that you are safe from this bug.

BL.
Yup.

Just to add though, there is another way to be exposed. DHCP clients often run shell scripts that receive data from the DHCP server. If that server was malicious, it could exploit this vulnerability and get code execution as root. I'm not familiar with OS X's method, but it is a possibility for any system that does this.
 

alex0002

macrumors 6502
Jun 19, 2013
489
113
New Zealand
Bash in OS X 10.9.5 appears to be vulnerable.
Test with the following in the terminal...

Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you get the following output, then the system is vulnerable.

Code:
vulnerable
this is a test
More info:
http://arstechnica.com/security/201...big-security-hole-on-anything-with-nix-in-it/

If you run a web server or another service that accessible by remote users and that service requires bash, one option might be to install bash via homebrew and ensure that all services use that bash, rather than the default bash provided by apple.

I'm assuming the bash provided by homebrew will be patched soon, if not already.

Apple might be a little slow to patch this one, as my understanding is that they use an old version of bash, so they would need to backport the patch to the older version.


EDIT: even better, follow the instructions here to compile and install a patched bash:

http://apple.stackexchange.com/ques...ash-to-avoid-the-remote-exploit-cve-2014-6271
http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html

Hopefully there will be something official from Apple before too long, but anyone running a server might not want to wait.
 
Last edited:

bradl

macrumors 601
Jun 16, 2008
4,029
11,945
Now that I think about it, another (and definitely evil) way to alleviate this from any sort of interactivity level is to take /path/to/bash out of /etc/shells. That prevents it from being used as a valid interactive shell for login.

Also, you could mv bash out of the way, set it read only by the superuser (mode 0400), then symlink /bin/false to /path/to/bash. That way anyone that tries to use it gets exited nonzero, and booted off.

Collateral damage here is that anyone that uses bash won't have a shell anymore. Ever since I started with Unix, I write scripts in bash, but my shell has always been tcsh. So as long as your normal users know how to use another shell, they'll be fine.

BL.
 

556fmjoe

macrumors 68000
Apr 19, 2014
1,910
1,603
Now that I think about it, another (and definitely evil) way to alleviate this from any sort of interactivity level is to take /path/to/bash out of /etc/shells. That prevents it from being used as a valid interactive shell for login.

Also, you could mv bash out of the way, set it read only by the superuser (mode 0400), then symlink /bin/false to /path/to/bash. That way anyone that tries to use it gets exited nonzero, and booted off.

Collateral damage here is that anyone that uses bash won't have a shell anymore. Ever since I started with Unix, I write scripts in bash, but my shell has always been tcsh. So as long as your normal users know how to use another shell, they'll be fine.

BL.
I would be careful with this until you know how it affects system scripts.
 

bradl

macrumors 601
Jun 16, 2008
4,029
11,945
I would be careful with this until you know how it affects system scripts.
For most unixes, /bin/sh is not symlinked to /bin/bash (Linux excluded, and Debian and Ubuntu use ash as its system shell). So if there is a script being used by the system, it was not installed by the OS.

Cron uses /bin/sh to execute commands in its crontab entries, but once again, bash would have to be symlinked from /bin/sh for it to be affected. So as long as /bin/sh is an actual binary that is not bash, it *should* be okay.

Recommended? no, but possibly an option; just have to tread carefully.

BL.
 

Watabou

macrumors 68040
Feb 10, 2008
3,419
727
United States
Apple hasn't upgraded their bash in such a long time (last update in 2006). But for the sake of getting this fixed, I filed a radar anyway. Let's hope Apple finally updates bash.

Here is another discussion (better than any I've found): https://news.ycombinator.com/item?id=8365158

The current patch is incomplete. Bash is still vulnerable.

I was thinking of symlinking Homebrew's bash (/usr/local/bin/bash) to (/bin/bash) in the meantime. Would this have any unintended consequences? Shell scripts that are hardcoded to /bin/bash would still work.
 
Last edited:

mpainesyd

macrumors 6502a
Nov 29, 2008
639
154
Sydney, Australia
BASH vulnerability in Unix, including OSX

From the CERT website:
https://www.us-cert.gov/ncas/curren...hell-Bash-Remote-Code-Execution-Vulnerability

Bourne Again Shell (Bash) Remote Code Execution Vulnerability
Original release date: September 24, 2014

US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system...

No sign of a response from Apple

Update
This Macrumours link just popped up (it wasn't there when I seareched for "bash"):
https://forums.macrumors.com/threads/1789221/
 
Last edited:

bradl

macrumors 601
Jun 16, 2008
4,029
11,945
Apple hasn't upgraded their bash in such a long time (last update in 2006). But for the sake of getting this fixed, I filed a radar anyway. Let's hope Apple finally updates bash.

Here is another discussion (better than any I've found): https://news.ycombinator.com/item?id=8365158

The current patch is incomplete. Bash is still vulnerable.

I was thinking of symlinking Homebrew's bash (/usr/local/bin/bash) to (/bin/bash) in the meantime. Would this have any unintended consequences? Shell scripts that are hardcoded to /bin/bash would still work.
If it is patched, then you should be okay.. However, if you say that the current patch is incomplete (meaning, the patches that GNU released to fix the problem), then Homebrew's bash is still vulnerable, as it should be using the same source.

If it is truly incomplete, then locking down your Mac would be a better avenue to go down and waiting for GNU to get things right with the source code, than using Homebrew's version, which would still be just as vulnerable.

BL.
 
Status
Not open for further replies.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.