Monday, September 29, 2014

Coverage Of:
Apple's Bash 'ShellShock' Bugs Patchfest

-> 2014-09-29 at 9:00 pm EDT. Some language altered. 'SCORE KEEPING!' section added.
-> 9:30 pm EDT. Updated CVE data and links in 'SCORE KEEPING!' section.
-> 2014-09-30 at 6:45 pm EDT. Added the 'FURTHER INFORMATION!' section with links to two SANS presentations on the Bash bugs. Added the 'ALERT' section with advice to server and client Mac users and a link to Rich Mogul's relevant article. Also added: A link to Adam Engst's 'How to Test Bash for Shellshock Vulnerabilities.']

ALERT: Active exploits are in-the-wild for Bash bug CVEs that have NOT yet been patched by Apple! These exploits are specific to UNIX (including OS X) servers exposed to the Internet. All admins should be applying every latest official Bash patch relevant to their servers as they are released. This is imperative. 

Client Mac users, however, generally have no major worries (as of yet). Nonetheless, here is an excellent strategy to help prevent potential exploits (with thanks to Rich Mogul):

1) Have your OS X Firewall running! Its tab is located in the Security & Privacy System Preferences pane.
2) Turn OFF Guest User access in the Users & Groups System Preferences pane.
3) Turn OFF Remote Login in the Sharing System Preferences pane.
~4) Not so critical, but useful: Check ON 'Block all incoming connections'. This setting is located in the Security & Privacy System Preferences pane, under the Firewall tab, under the 'Firewall Option' button. Note Apple's warning when you activate this setting! It will block ALL sharing services, which will itself cause problems on your LAN (local area network). If you aren't using a LAN, check it on.

Welcome to the Patchfest! 

This is where I'll be listing all the Bash 'ShellShock' Bugs CVEs and Apple patches as they are released.

1) 2014-09-29, 6:30 pm:

Apple has released its FIRST patch for the Bash security bugs. It patches two out of six known and published Bash security flaws. As such, expect further Apple Bash patchs in the very near future.

Here is Apple's Security Report, which includes links to the first available patches. I've added formatting and bolding to provide focus points.
APPLE-SA-2014-09-29-1 OS X bash Update 1.0
OS X bash Update 1.0 is now available and addresses the following:


Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5,  OS X Mavericks v10.9.5

Impact: In certain configurations, a remote attacker may be able to execute arbitrary  shell commands

Description: An issue existed in Bash's parsing of environment variables. This issue was  addressed through improved environment variable parsing by better detecting the end of  the function statement.

This update also incorporated the suggested CVE-2014-7169 change, which resets the  parser state.

In addition, this update added a new namespace for exported functions by creating a  function decorator to prevent unintended header passthrough to Bash. The names of all  environment variables that introduce function definitions are required to have a  prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via  HTTP headers.

CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy

OS X bash Update 1.0 may be obtained from the following webpages: – OS X Lion – OS X Mountain Lion – OS X Mavericks

To check that bash has been updated:
* Open Terminal
* Execute this command:
bash --version
* The version after applying this update will be:
OS X Mavericks:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

Information will also be posted to the Apple Security Updates web site:
NOTE: Not all currently knows Bash CVEs have been patched! The remaining CVEs must wait to be patched another day...

You can look up CVE reports using links under the 'Friends of Mac-Security' on the right of this page. But I will be providing links to CVE reports as the become known to me. Check out the 'SCORE KEEPING!' section below.

~ ~ ~ ~ ~ 


[Last updated 2014-09-29 at 9:30 pm EDT]

Here is the current list of Bash bug CVEs. I'll be updating it as I learn more and as Apple patches each CVE. Note that this list is 'to the best of my knowledge'. CVEs not yet listed at NIST remain nebulous, strange and abstract in the aether, unverifiable by mere mortals on planet Earth. So don't hold me to them.

CVE-2014-6271 (√ Patched by Apple 2014-09-29)

CVE-2014-7169 (√ Patched by Apple 2014-09-29)

CVE-2014-6278 (Unpatched. No description. Not yet listed at NIST)

~ ~ ~ ~ ~


-> Today (2014-09-30) the SANS Institute posted and updated a 13 minute video presentation by Johannes B. Ullrich, Ph.D., about the Bash bugs situation (as of this moment). SANS offer:
- An audio presentation.
- A video presentation at YouTube with audio and slides.
- A PDF of notes.
- PowerPoint slides.
All are available HERE.

-> Wednesday (2014-10-01) at 3:00 EDT (19:00:00 UTC) SANS will be offering a 'webinar' with Johannes Ullrich and Chris Wysopal. It is entitled "Shell Shock - What you need to know." Here is the notification they sent out on Tuesday afternoon:

***************  Sponsored By Veracode  ***************

Shell Shock - What you need to know:
Wednesday, October 01 at 3:00 PM EDT (19:00:00 UTC) - There is speculation that Shellshock, the latest vulnerability in a long line of major discoveries, will be more catastrophic than Heartbleed. During this webinar, Johannes Ullrich, SANS and Chris Wysopal, co-founder and CTO of Veracode, will outline what you need to know about Shellshock. They will also explain how you can respond to this specific vulnerability and what you can do to prepare for the inevitable future vulnerability discoveries.


-> Adam Engst of TidBITS has created a great page entitled "How To Test Bash for Shellshock Vulnerabilities". It is an elaboration upon the work on my Bash coverage here. He will be updating it if/when further Bash CVEs are made public. Thank you Adam!

I wrote to Adam Engst tonight about what a terrific gestalt of helpful people we have within the Mac community, including himself and Rich Mogul. Links to a lot of other helpful Mac gestalt members are listed under 'Friends of Mac-Security' on the right of this page.

Share and Enjoy,



  1. Hi Derek, thanks for your blog and all the information you put in there.

    Stupid question - is it not enough to remove bash altogether and make another shell, say zsh or fish, the default shell? Or is that too easy? Are there certain parts of OS X that rely on bash being there?


  2. Hi Fritz! Not a stupid question. We're used to using Bash from the Terminal and are not aware that a lot of other processes us Bash as well. You'd think Bash was there for we mere humans to use and that everything else in the machine would be using machine language. But that is not the case. These days, for example, a lot of processes use scripts to get their work done. Those scripts are frequently written specifically as Bash commands. No Bash means they won't work. Also, there is more than one Bash to remove, if we choose to remove it. The instance of Bash can certainly be changed in the Terminal and we never have to use it. But other instances of Bash are also around and will be used by other processes than us.

    There are a few articles around the discuss updating every instance of Bash that is commonly installed in OS X. MacPorts has its own Bash. Homebrew has its own Bash. If you're CLI savvy and comfortable with compiling code with XCode, go for it. But I write this blog for typical Mac users who definitely are not.

    While we wait for the Bash bug discovery and patching to further settle down, the best thing any OS X user can do is install Apple's provided Bash patches as they appear. Those OS X users with servers on the Internet have a bigger challenge. They'll be updating more than simply OS X. They'll be keeping track of updates to the open source Apache web server, it's DHCP server in particular.

    One useful thing to do, if you're comfortable with it, is going into the settings for your router and turning OFF Internet login, IOW stop access to your router from the Internet. So far there is no list I have found of routers that are affected by the Bash bugs. But those that are, will be eventually be attacked. If your router can't be logged into from the Internet, you've slammed that attack surface shut.