Skip to main content
Question

Security Update: Bash "Shellshock" Vulnerability


Forum|alt.badge.img+12

Last updated: October 3, 2014

As you may have heard, a significant vulnerability in Bash was announced yesterday, Wednesday, September 24, 2014, commonly referred to as “Shellshock” that affects all versions of Bash through version 4.3:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

The following are links to some external resources with additional details:

http://www.kb.cert.org/vuls/id/252743
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

JAMF Software has investigated the impact of this vulnerability for our customers, and the following is a summary of what we found:

Affected operating systems
It is likely that all un-patched versions of Linux and Unix, including OS X, are affected by this vulnerability.  Details of actual exploits are still emerging, but reports indicate that SSH and web servers with CGI components are likely vectors for perpetrating an attack. The following external blog post lists a variety of "potential exploitation vectors":

https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html

Windows does not include Bash and, therefore, should not be affected by this vulnerability.

JAMF Software Products and Services

  • The JAMF Software Server (JSS) does not rely on Bash or have any CGI components enabled by default, but the server OS that is hosting the JSS could have these items enabled
  • The jamf binary and client applications do use shell commands in certain functions, which rely on the native installation of Bash on OS X
  • The JAMF Distribution Server (JDS) uses Apache but does not use the CGI module; however, the Apache service or other services may be configured to use the CGI module (mod_cgi)
  • Any services on JAMF Cloud that are externally accessible have been patched to use the recommended version of Bash
  • Versions of the NetBoot/SUS Appliance OVA through 3.0.1 are built using a version of Ubuntu that includes an affected version of Bash

How to tell if a system is affected
The following external resources are available for testing systems for this vulnerability:

http://serverfault.com/questions/631257/how-to-test-if-my-server-is-vulnerable-to-the-shellshock-bug
https://shellshocker.net/#

Possible fixes
Please follow official vendor recommendations for installing software updates that include a patched version of Bash:

Additional resources
The JAMF Nation community has started discussion regarding this issue:

https://jamfnation.jamfsoftware.com/discussion.html?id=11909

Feel free to reach out to your Support representative through https://support.jamfsoftware.com/ with any questions, or bookmark this discussion post and check back for any available updates.

Thanks,
Jason Van Zanten
Product Specialist, Information Security JAMF Software

34 replies

Forum|alt.badge.img+6
  • Contributor
  • 26 replies
  • September 26, 2014

In response to this i've created a package using JAMF's composer to patch the vulnerable bash and sh versions. Created using Mavericks 10.9.4 and follows these instructions here:

http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/

It's a non-flat pkg installer with a perl postflight script to take care of copying the new bash and sh version into /bin

Feel free to dissect it in Composer if you want to be sure! The 2 files (bash & sh) are installed to /private/tmp/bash-fix and then copied to /bin after the originals are backed up with a .old suffix.

I've put it up on my dropbox if anyone wants to try it out and use it in their environment. Have tested on Mavericks and Yosemite Beta and all good.

https://www.dropbox.com/s/0gwor9etpjy4kwk/Shellshock-CVE-2014-6271-Patch-20140926.pkg.zip?dl=0

Cheers

Michael Kremic


Forum|alt.badge.img+18
  • Valued Contributor
  • 1007 replies
  • September 26, 2014

How many of us are running http servers with mod_cgi turned on for our clients? Users cannot just get this from what I am seeing. they are going to have to download a malicious script, or package to install to get this on the majority of workstations. I think ShellShock and Awe is in full swing and is being blown way out of proportion. Not to mention the fix that exists only solves one piece of the problem. This http://lcamtuf.blogspot.com.es/2014/09/quick-notes-about-bash-bug-its-impact.html might help understand it better. And maybe I am missing something.


Forum|alt.badge.img+7
  • Contributor
  • 45 replies
  • September 26, 2014

I've just logged in here to mention what I've done to solve it and found that Michael Kremic, mkremic, has done the same thing as me.

Michael, on your script the $oldbash variable is not declared so the $newbash won't replace the $oldbash.

Anyway, thanks for sharing it with all of us.


Forum|alt.badge.img+6
  • Contributor
  • 26 replies
  • September 26, 2014

Thanks @luispalumbo !

I'd rather be security conscious and patch it then leave it open. Chances of someone actually taking advantage of the exploit on a desktop/laptop are slim but you wouldn't want to be the company that it happened to!

Also, I tested patching 10.9.4 and then applying the Apple update to 10.9.5 and bash is still patched after the update.


Forum|alt.badge.img+16
  • Honored Contributor
  • 403 replies
  • September 26, 2014

an EA to get the version on clients so you can target with a smart group if you like.

#!/usr/bin/env bash

bash_version=$(/bin/bash --version | head -n 1 | awk '{print $4}' | sed s/"(1)-release"/""/)

echo "<result>$bash_version</result>"

Forum|alt.badge.img+19
  • Valued Contributor
  • 184 replies
  • September 26, 2014

From a redhat kb https://access.redhat.com/articles/1200223

EA to determine vulnerable or ok - so far seeing vulnerable results.

#!/usr/bin/perl -w

my $RESULT=`env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"`;

chomp $RESULT;

if ($RESULT=~/^vulnerable
test$/){
        system "echo '<result>vulnerable</result>'";
}
else {
        system "echo '<result>ok</result>'";
}

Forum|alt.badge.img+7
  • Contributor
  • 45 replies
  • September 26, 2014

Hi guys, the EA I used was something like @chriscollins but a bit simpler. I've also created a smart group to with the old and another with the new version, then created a policy that runs once per computer deploying a package as mentioned above by @mkremic with a Perl script.

This my EA

#!/bin/bash
echo "<result>`bash --version | head -1 | tr "(" " " | awk '{print $4}'`</result>"

mm2270
Forum|alt.badge.img+24
  • Legendary Contributor
  • 7882 replies
  • September 26, 2014

Simplest version I can come up with for an EA in case anyone is interested-

#!/bin/sh

echo "<result>$(bash --version | awk -F'[ |(]' '/version/{print $4}')</result>"

Forum|alt.badge.img+4
  • New Contributor
  • 5 replies
  • September 26, 2014

Thanks Michael,
Got the package and it works like a charm. Really appreciate it...!!


Forum|alt.badge.img+2

Do not run the package posted by Michael Kremic on any 10.7.x machines. The ones I've run it on fail to boot up after a restart. 10.8.x and 10.9.x work fine though.


RobertHammen
Forum|alt.badge.img+28
  • Esteemed Contributor
  • 1027 replies
  • September 26, 2014

@Lotusshaney has posted his pkg, which has versions for 10.8/10.9/10.10 and 10.7/10.6 (which version gets installed is based on postinstall script logic) at:

http://blog.designed79.co.uk/?p=2000


elliotjordan
Forum|alt.badge.img+12
  • Valued Contributor
  • 143 replies
  • September 29, 2014

Forum|alt.badge.img+4
  • Contributor
  • 22 replies
  • September 30, 2014

Currently setting up fix deployment.

10.8.5 seems to reject the patch.

installer: Cannot install on volume / because it is disabled. installer: This volume does not meet the requirements for this update.

10.7.5 and 10.9.5 are patching correctly.

as anyone seen this behaviour? all software updates are installed, rebooted but no luck.


ImAMacGuy
Forum|alt.badge.img+23
  • Esteemed Contributor
  • 1310 replies
  • September 30, 2014

Bendelaat: thank you, I will keep an eye out for it when I start my testing and report back.

A separate question. For deployment of these (assuming all works as expected), if I mark each package with their respective os requirements (BashUpdateLion - requires 10.7.x, BashUpdateMavericks - requires 10.9.x, etc), can I just lump them all into one policy?

Update:
took a smart group from each of the 3 os's assigned all 3 packages to it, and updated it. All 3 packages installed on their respective OS, but also reported as failed for all 3 (2 of the 3 packages didn't meet OS requirements).

@Bendelaat

If you could post your script and policy that would help :)


Forum|alt.badge.img+4
  • Contributor
  • 22 replies
  • September 30, 2014

@jwojda
I don't know about the requirements. i just uploaded the .pkg files to repository and made policy for each with a custom trigger. then a script that tests for specific os versions and calls the appropriate policy.


dpertschi
Forum|alt.badge.img+19
  • Contributor
  • 459 replies
  • September 30, 2014

@Bendelaat
Same error here with 10.8.5


ImAMacGuy
Forum|alt.badge.img+23
  • Esteemed Contributor
  • 1310 replies
  • September 30, 2014

@Bendelaat 10.8.5 worked for me.

would you mind posting your policy/script?


ImAMacGuy
Forum|alt.badge.img+23
  • Esteemed Contributor
  • 1310 replies
  • September 30, 2014

Found this on http://arstechnica.com/apple/2014/09/apple-patches-shellshock-bash-bug-in-os-x-10-9-10-8-and-10-7/

Here's the description from Apple's security-announce mailing list (I haven't seen it on HT1222 yet): APPLE-SA-2014-09-29-1 OS X bash Update 1.0 OS X bash Update 1.0 is now available and addresses the following: Bash Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement. This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state. In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix "_BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers. CVE-ID CVE-2014-6271 : Stephane Chazelas CVE-2014-7169 : Tavis Ormandy OS X bash Update 1.0 may be obtained from the following webpages: http://support.apple.com/kb/DL1767 – OS X Lion http://support.apple.com/kb/DL1768 – OS X Mountain Lion http://support.apple.com/kb/DL1769 – OS X Mavericks To check that bash has been updated: Open Terminal Execute this command: bash --version The version after applying this update will be: OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12) OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11) Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

mm2270
Forum|alt.badge.img+24
  • Legendary Contributor
  • 7882 replies
  • September 30, 2014

So, recall that there was a reissue of the 10.8.5 update from Apple. There was the original 10.8.5 and then soon after a "10.8.5 Supplemental Update 1.0" was issued. Its possible for those having trouble installing the bash patch on their 10.8.5 Macs that they never got the supplemental 10.8.5 update installed prior. The OS version number did not change, which may add to the confusion.

I'm just speculating here, since I haven't yet tried installing it on any of our Macs running ML to see what the results are.


Forum|alt.badge.img+9
  • Contributor
  • 66 replies
  • September 30, 2014

Has anyone seen this patch come through their SUS yet?


Forum|alt.badge.img+5
  • New Contributor
  • 7 replies
  • September 30, 2014

Yet to see this come this SUS just yet. I have yet to see when Apple said they are going to add it to SUS.


Forum|alt.badge.img+4
  • Contributor
  • 20 replies
  • September 30, 2014

10.8.5 Bash updates are failing on build 12F37, "Installation failed. The installer reported: installer: Cannot install on volume / because it is disabled. installer: This volume does not meet the requirements for this update".
Successful on build 12F45, so I think Mike is correct about the supplemental update.
10.7 and 10.9 Bash updates are successful, as long as they are at 10.7.5 and 10.9.5 (respectively).


Forum|alt.badge.img+13
  • Valued Contributor
  • 478 replies
  • October 1, 2014

@Jmillerlbl Apple doesn't "say" they are/aren't adding patches to SUS, generally speaking. It's typically the case that patches are added to SUS shortly after being released via their own catalog and manual download. The lead time here is a tad on the high side, but no need to panic - it'll be in the catalog soon I'm sure.


Forum|alt.badge.img+3
  • New Contributor
  • 2 replies
  • October 1, 2014

@mhamlin I had the same thing happen to my 10.7 machines. Have you had any success getting them back? If so, how did you get the machines back. Thanks


Forum|alt.badge.img+2

@sstone You have to boot to recovery (connect to Ethernet then hold command+R before startup chime) and re-install Lion.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings