Last updated: October 3, 2014
As you may have heard, a significant vulnerability in Bash was announced yesterday, Wednesday, September 24, 2014, commonly referred to as “Shellshock” that affects all versions of Bash through version 4.3:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
The following are links to some external resources with additional details:
http://www.kb.cert.org/vuls/id/252743
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
JAMF Software has investigated the impact of this vulnerability for our customers, and the following is a summary of what we found:
Affected operating systems
It is likely that all un-patched versions of Linux and Unix, including OS X, are affected by this vulnerability. Details of actual exploits are still emerging, but reports indicate that SSH and web servers with CGI components are likely vectors for perpetrating an attack. The following external blog post lists a variety of "potential exploitation vectors":
https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html
Windows does not include Bash and, therefore, should not be affected by this vulnerability.
JAMF Software Products and Services
- The JAMF Software Server (JSS) does not rely on Bash or have any CGI components enabled by default, but the server OS that is hosting the JSS could have these items enabled
- The jamf binary and client applications do use shell commands in certain functions, which rely on the native installation of Bash on OS X
- The JAMF Distribution Server (JDS) uses Apache but does not use the CGI module; however, the Apache service or other services may be configured to use the CGI module (mod_cgi)
- Any services on JAMF Cloud that are externally accessible have been patched to use the recommended version of Bash
- Versions of the NetBoot/SUS Appliance OVA through 3.0.1 are built using a version of Ubuntu that includes an affected version of Bash
How to tell if a system is affected
The following external resources are available for testing systems for this vulnerability:
http://serverfault.com/questions/631257/how-to-test-if-my-server-is-vulnerable-to-the-shellshock-bug
https://shellshocker.net/#
Possible fixes
Please follow official vendor recommendations for installing software updates that include a patched version of Bash:
- Ubuntu - http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it
- Red Hat - https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
- Apple - http://support.apple.com/kb/ht1222
- About OS X bash Update 1.0 - http://support.apple.com/kb/HT6495
- OS X Mavericks (10.9.5 or later) - http://support.apple.com/kb/DL1769
- OS X Mountain Lion (10.8.5) - http://support.apple.com/kb/DL1768
- OS X Lion (10.7.5) - http://support.apple.com/kb/DL1767
Additional resources
The JAMF Nation community has started discussion regarding this issue:
https://jamfnation.jamfsoftware.com/discussion.html?id=11909
Feel free to reach out to your Support representative through https://support.jamfsoftware.com/ with any questions, or bookmark this discussion post and check back for any available updates.
Thanks,
Jason Van Zanten
Product Specialist, Information Security
JAMF Software