How do we patch bash in OSX?

Discussion in 'macOS' started by Tonsko, Sep 24, 2014.

Thread Status:
Not open for further replies.
  1. Tonsko macrumors 6502

    Tonsko

    Joined:
    Aug 19, 2010
    #1
  2. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #2
    GNU released patches to the bash source code to fix this. So this would require a recompile of bash to fix it.

    So it all depends on where your copy of bash is coming from. If it came from somewhere like Macports, they would have to update it there for you to pull down the new version.

    Natively, XCode could be used to roll your own update to it, otherwise, Apple would have to come out with the patched version for it. So until they do, you're going to be vulnerable.

    HOWEVER...

    For that vulnerability to be exploited, you have to have bash exposed in one of a couple of ways:
    • through Apache (if running it) and have mod_cgi enabled, or
    • through some interactive login service (telnet, rsh, ssh, etc.).

    The latter is probably more open than the former. So you would need to be sure that you have either those services turned off, or locked down to where only authenticated users have access to your Mac. So have a good look at your firewall rules first (either on your local Mac or your network), and make sure only authenticated users can get to your machine. Otherwise, turn off remote accessibility, and wait for Apple to put out the patched version.

    Only then could you say that you are safe from this bug.

    BL.
     
  3. 556fmjoe macrumors 65816

    556fmjoe

    Joined:
    Apr 19, 2014
    #3
    Yup.

    Just to add though, there is another way to be exposed. DHCP clients often run shell scripts that receive data from the DHCP server. If that server was malicious, it could exploit this vulnerability and get code execution as root. I'm not familiar with OS X's method, but it is a possibility for any system that does this.
     
  4. alex0002, Sep 24, 2014
    Last edited: Sep 24, 2014

    alex0002 macrumors 6502

    Joined:
    Jun 19, 2013
    Location:
    New Zealand
    #4
    Bash in OS X 10.9.5 appears to be vulnerable.
    Test with the following in the terminal...

    Code:
    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    If you get the following output, then the system is vulnerable.

    Code:
    vulnerable
    this is a test
    More info:
    http://arstechnica.com/security/201...big-security-hole-on-anything-with-nix-in-it/

    If you run a web server or another service that accessible by remote users and that service requires bash, one option might be to install bash via homebrew and ensure that all services use that bash, rather than the default bash provided by apple.

    I'm assuming the bash provided by homebrew will be patched soon, if not already.

    Apple might be a little slow to patch this one, as my understanding is that they use an old version of bash, so they would need to backport the patch to the older version.


    EDIT: even better, follow the instructions here to compile and install a patched bash:

    http://apple.stackexchange.com/ques...ash-to-avoid-the-remote-exploit-cve-2014-6271
    http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html

    Hopefully there will be something official from Apple before too long, but anyone running a server might not want to wait.
     
  5. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #5
    Now that I think about it, another (and definitely evil) way to alleviate this from any sort of interactivity level is to take /path/to/bash out of /etc/shells. That prevents it from being used as a valid interactive shell for login.

    Also, you could mv bash out of the way, set it read only by the superuser (mode 0400), then symlink /bin/false to /path/to/bash. That way anyone that tries to use it gets exited nonzero, and booted off.

    Collateral damage here is that anyone that uses bash won't have a shell anymore. Ever since I started with Unix, I write scripts in bash, but my shell has always been tcsh. So as long as your normal users know how to use another shell, they'll be fine.

    BL.
     
  6. 556fmjoe macrumors 65816

    556fmjoe

    Joined:
    Apr 19, 2014
    #6
    I would be careful with this until you know how it affects system scripts.
     
  7. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #7
    For most unixes, /bin/sh is not symlinked to /bin/bash (Linux excluded, and Debian and Ubuntu use ash as its system shell). So if there is a script being used by the system, it was not installed by the OS.

    Cron uses /bin/sh to execute commands in its crontab entries, but once again, bash would have to be symlinked from /bin/sh for it to be affected. So as long as /bin/sh is an actual binary that is not bash, it *should* be okay.

    Recommended? no, but possibly an option; just have to tread carefully.

    BL.
     
  8. Watabou, Sep 24, 2014
    Last edited: Sep 24, 2014

    Watabou macrumors 68040

    Watabou

    Joined:
    Feb 10, 2008
    Location:
    United States
    #8
    Apple hasn't upgraded their bash in such a long time (last update in 2006). But for the sake of getting this fixed, I filed a radar anyway. Let's hope Apple finally updates bash.

    Here is another discussion (better than any I've found): https://news.ycombinator.com/item?id=8365158

    The current patch is incomplete. Bash is still vulnerable.

    I was thinking of symlinking Homebrew's bash (/usr/local/bin/bash) to (/bin/bash) in the meantime. Would this have any unintended consequences? Shell scripts that are hardcoded to /bin/bash would still work.
     
  9. FinnPhone macrumors member

    FinnPhone

    Joined:
    Jan 27, 2012
    #9
    'Shell Shock' bug, causing any risk for normal user?

    http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

    So, using Mavericks 10.9.5 and this news made me worry. I did run this line: "env X="() { :;} ; echo busted" /bin/sh -c "echo stuff" in my computer and it seems to be vulnerable :(
     
  10. mpainesyd, Sep 24, 2014
    Last edited: Sep 24, 2014

    mpainesyd macrumors 6502

    mpainesyd

    Joined:
    Nov 29, 2008
    Location:
    Sydney, Australia
    #10
    BASH vulnerability in Unix, including OSX

    From the CERT website:
    https://www.us-cert.gov/ncas/curren...hell-Bash-Remote-Code-Execution-Vulnerability

    Bourne Again Shell (Bash) Remote Code Execution Vulnerability
    Original release date: September 24, 2014

    US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system...

    No sign of a response from Apple

    Update
    This Macrumours link just popped up (it wasn't there when I seareched for "bash"):
    http://forums.macrumors.com/showthread.php?t=1789221
     
  11. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #11
    If it is patched, then you should be okay.. However, if you say that the current patch is incomplete (meaning, the patches that GNU released to fix the problem), then Homebrew's bash is still vulnerable, as it should be using the same source.

    If it is truly incomplete, then locking down your Mac would be a better avenue to go down and waiting for GNU to get things right with the source code, than using Homebrew's version, which would still be just as vulnerable.

    BL.
     
  12. Tonsko thread starter macrumors 6502

    Tonsko

    Joined:
    Aug 19, 2010
Thread Status:
Not open for further replies.

Share This Page