Apple: Critical Security Risk to Unix and Linux Systems including Apple OSX! SHELL SHOCK - CVE-2014-6271

BE AWARE THAT PATCHES ARE IN ACTIVE DEVELOPMENT - YOU MAY NEED TO APPLY MULTIPLE PATCHES OVER THE NEXT FEW DAYS. CHECK WITH YOUR VENDOR REGULARLY


<< What is this? >>
A newly discovered vulnerability in the Bash command-line interpreter poses a critical security risk to Unix and Linux systems including Apple OSX.
The vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271) is present in Bash through version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise via CGI scripts that use or call Bash.
The flaw lies in Bash's handling of environment variables: when assigning a function to a variable, trailing code in the function definition will be executed, leaving the door wide open for code-injection attacks. Worse, in many common configurations, the vulnerability is exploitable over networks.


<< How can I tell if I'm vulnerable? >>
There is a simple BASH command you can run to detect if your system is vulnerable.

The first example here shows a vulnerable system

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

The second example shows a system after patching

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


<< Is this important? >>
According to the NIST vulnerability database, which rates the flaw 10 out of 10 in terms of severity:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
Jim Reavis, chief exec of the Cloud Security Alliance, claims the hole is comparable in seriousness to the infamous password-leaking Heartbleed bug in the OpenSSL library that was uncovered earlier this year.


<< What are the attack vectors? >>
We don't know them all yet? There has been speculation that it might be as wide as effecting OpenSSH with pre-auth remote code exec or even possibly exploitable via DHCP. We will know more in the next few days, but at the moment all the vectors are unknown. There are people scanning for this vuln in the wild.


<< What can I do? >>
Patch - There are patches coming out for a number of Linux/BSD operating systems. Check with your vendor to see if there is one for your operating system.

BE AWARE THAT PATCHES ARE IN ACTIVE DEVELOPMENT - YOU MAY NEED TO APPLY MULTIPLE PATCHES OVER THE NEXT FEW DAYS. CHECK WITH YOUR VENDOR REGULARLY

At present there is no patch for Apple OSX. We would expect to see one in the next few days. In the mean time here are some steps which you can take to ensure your firewall is on and blocking all the incoming connections
If a patch is not available for your machine. We would advise moving it behind a border device if it is network connected, reducing network access to the minimum necessary and monitoring logs for any anomalous activity.


<< Solution for Apple OSX >>
 OS X bash Update 1.0 fixes a security flaw in the bash UNIX shell.
http://support.apple.com/kb/DL1769?viewlocale=en_US


Reference:
SHELL SHOCK - CVE-2014-6271
http://www.nzitf.org.nz/news.html