As you’ve probably heard, there’s a remote vulnerability in Bash, which means
that an attacker can supply a malicious code by virtue of passing in an
environment variable with a specially crafted value that is then executed
by Bash when a new shell starts up. This could potentially give an attacker
control over an account running requests, which could include any HTTP request
(variables such as
REMOTE_HOST are passed through to CGI scripts by default)
as well as certain environment variables in SSH (such as
I have written about this more at InfoQ, and most major operating system vendors have published updates to their versions of Bash. I have also written a piece on ShellShocked — Behind the Bug and created the popular StackExchange question and answer on ShellShock.
Apple typically take time to fix these issues, so in the meantime, if you have an OSX server estate you are advised to upgrade to a new version of bash immediately.
If you have the Xcode developer tools available, you can compile it yourself as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
You are advised to take backups before you make these changes and test that you can log in before you quit the shell you have started (because if there are problems you may not be able to fix this afterwards). When Apple release a fix you are recommended to apply that and verify that the new Apple version is used instead.
To test the fix is effective, run:
1 2 3 4
1 2 3 4 5
To permanently disable this class of bug by disabling all auto-imported functions, this patch can be applied (to 3.2p53). Either this or bash 3.2p54 will protect against the following vulnerability:
Once you’re happy, make sure the old versions are no longer executable (or better still, remove them) and then reboot your system. Otherwise any running processes might be tricked for log processing or other routine tasks.
1 2 3
You should also check for
sh installs in other locations, such as
/usr/local/bin. If you use a ports manager such
as Homebrew or Macports then you should follow the upgrade instructions
given by those package managers.
This post was also made to apple.stackexchange.com where it has received several hundred votes - so my thanks are due to everyone there, and of course, Chet for fixing the issues as quickly as they were.
Apple have released their fix for this issue, providing
appear to have fixed the above bugs including the
Game over bug, though
without using the upstream
bash-3.2p54 patch listed here.
Separate patches are available for different versions of OSX:
- https://support.apple.com/kb/DL1769 - Mavericks (10.9.5 and above)
- https://support.apple.com/kb/DL1768 - Mountain Lion (10.8.5)
- https://support.apple.com/kb/DL1767 - Lion (10.7.5)
Note that the official Apple patch is still vulnerable to a variant of the Game Over bug described above, as noted by @ake_____ on twitter.
Cautions administrators are invited to re-consider applying the ‘disable auto-import functions patch’ listed above, or rebuild to bash 3.2.55.