Heartbleed,
move over. There's a new bug in town, and this time it's also affecting
Mac and Linux computers. It's called Shellshock (its original official
title is CVE-2014-6271), and it's currently got a 10 out of 10 severity
rating over at the National Cyber Awareness System. While some updates have been issued to fix this bug, they were incomplete, and your system is probably still vulnerable, as it has been for the last probably 20 years.
UPDATE 9/26/2014
A new patch addresses an additional attack vector known as CVE-2014-7169.
If you followed these instructions before 3:10 p.m. PDT on Friday, September 26th, 2014, please delete your bash-fix directory (you can find it in Users -> Username
via the Finder) and follow all the steps below again (starting with
Step #1) to ensure that your system is fully patched. If you did not
already update manually, the do not delete the bash-fix directory.
The instructions now fully address both vulnerabilities and should be the last patch you need to perform.
What Is Bash?
Bash is a command-line
shell used in many Linux- and Unix-based operating systems, including
Mac OS X. If bash is the default system shell on your computer, it can
be used by remote hackers for network-based attacks. With a simple script,
a hacker can launch programs or enable features on your computer
without any passwords needed and without your knowledge. They could
access your files, copy confidential information, delete data, run
programs, and more.
While the likelihood of your personal Mac
being targeted by an attack is relatively small, it's still a big issue
that will hopefully get a real and working patch soon. Until then, there
are a few things you can do.
Testing for Vulnerability #1
In a
Terminal window, type in the following command into the shell, followed
by the Enter key. Terminal can be found in Utilities in your
Applications folders, or via a quick Spotlight search.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
The Good Result
If your system is not vulnerable to the Shellshock bug, it will return something similar to the below output. bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
The Bad Result
If your system is indeed vulnerable to Shellshock, you'll see the following instead. vulnerable this is a test
Testing for Vulnerability #2 (Added 9/26/2014)
If
you pass the first test, use the following test to see if you're
vulnerable from the second attack vector, which was discovered on
Thursday.
If your system is fine, you'll see something like the following (without any printout of the current date and time). date cat: echo: No such file or directory
The Bad Result
If your system is indeed vulnerable to the second attack vector, you'll see the following instead. date <The Current Date and Time>
Is There an Update Yet?
Many Linux distros have already released patches for Shellshock (though they were mostly incomplete), but Mac OS X has not received anything yet, and Apple hasn't even commented on the issue. There was a recent 10.9.5 update for Mavericks, but it has nothing pertaining to this issue.
If you're worried, though, there is a way to manually update your GNU bash version to a more secure one, thanks to some users over at StackExchange.
Check Your Current Bash Version
To
see what version bash you have installed on your Mac, in a Terminal
window, enter the following command (followed by the Enter key) into the
shell.
bash --version
If you get GNU bash, version 3.2.51(1)-release, then you'll want to manually update to the newest version of bash 3.2, which is 3.2.53. Also, if you've already used this guide to update to 3.2.52(1)-release, then you'll want to perform everything below again to make sure you're fully protected.
There
are newer versions of bash out there, but Mac OS X runs off the 3.2
branch. If you're using Linux, you'll want to make sure the patch you
download matches the version of bash you're using. The latest patches
for all major versions of bash (including 3.0, 3.1, 3.2, 4.0, 4.1, 4.2,
and 4.3) can be found here.
Manually Updating Bash - Initial Requirements
You can manually compile the newest bash version (3.2.53) using the below instructions, but you have to have Apple's Xcode installed on your Mac for this to work. If you don't have it, follow the instructions in the Prerequisite Check section below.
If you don't want to update bash, there is a workaround provided by Red Hat, but it hasn't been tested fully, so I wouldn't recommend it.
Prerequisite Check
You'll need to
make sure you have Xcode installed, and have agreed to Apple's terms.
For older Macs, you'll also need to make sure you have all the command
line tools.
You can download Xcode for free from the Mac App Store.
If
you're on an older version of Mac OS X and Xcode isn't available for
you in the Mac App Store, you can download older versions by searching
for the proper version number after logging into Apple's developer
portal here
with your Apple ID. If you're on Mac OS X 10.7 or 10.8, search for
"Xcode 4.6.3" in the Downloads for Apple Developers search box on the
left side of the page.
Once you've installed Xcode, launch it from
your Applications folder and agree to Apple's license agreement (the
initial launch may take a while). After that, you'll want to confirm
that you have all of the command line tools. To do so, do the following:
With Xcode open, click the Xcode menu in your top menu bar.
Click Preferences.
Click the Downloads tab.
Click Install next to the Command Line Tools in the list of downloads.
Note: If you don't see "Command Line Tools" in the downloads tab, then that means you've already got them and are ready to go!
Once done, you have everything you need to patch your system.
Step 1: Download & Compile the Patch
Once
you've confirmed you have Xcode installed, open Terminal again and enter
the following commands. Each bullet point is one command, so make sure
you copy the full line in each bullet point (minus the bullet, of
course).
This
process may take a while, and you'll see a lot of text appearing in the
Terminal window. It's just Xcode compiling the new version of bash on
your system. Once it's done, it'll say “BUILD SUCCEEDED” and you'll see a
Terminal prompt again.
Step 2: Download, Compile, & Build the Second Patch
This
step was added on 9/26/2014 at 3:10 p.m. PDT to address the second
vulnerability. Please see the "UPDATE" section at the top of this
article for more information.
Step 3: Back Up Your Current Version (Just in Case)
Just
in case something goes wrong, it's a good idea to back up your current
version of bash. You can do so by entering the following two commands in
Terminal.
Note that you'll likely be prompted for a password when
doing this step. If so, use the same password you use to log in to your
Mac. You will not see your password in Terminal as you type, so it may
take you few attempts if you have a complicated password.
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
You won't see any confirmation, but it'll work, and if something goes wrong after Step #5 below, you can get back your old un-patched
version of bash by reversing the above copy commands, to copy the
".old" copies back over their original files (without the ".old" part).
Step 4: Verify the Version of Your New Build
Enter the following commands in Terminal to verify you've got the new version of the bash build on your computer.
build/Release/bash --version
build/Release/sh --version
The output of these commands should confirm for you that the build version of bash is 3.2.53(1)-release.
Step 5: Replace Your Old Bash with the Patched Version
Almost done. You just have to copy the new version of bash over your old version. Do so with the following Terminal commands.
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin
And
that's it. Now just try out the test again and if it comes back with
the good result (i.e., not the one that says "vulnerable"), then you're
golden.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
And run the second test to confirm the current date and time don't print out:
If
the date does print out again, first check your user home directory to
see if a file called "echo" was created when you ran the test the first
time. If so, delete it and run the test again. If the date still prints
out, chances are you missed part of the new Step #2 above. If
you ever think you might of messed up a command, you can always start
over by deleting your bash-fix folder and starting again from Step #1.
Also note that you can delete the bash-fix folder if you're all good,
too, because it's just a temporary folder.
Post a Comment