Discussion about 'Shellshock' fixes--Ubuntu and OS X (an unlikely issue with unexpected fixes) Presented by Dave Mawdsley, DACS Member, Linux SIG October 15, 2014

A Short Description of 'Shellshock' 1 Versions of the scripting language Bash (Bourne Again Shell) are loaded by default in Linux Distributions and Apple Computers. From Wikipedia: “Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.” “The first bug causes Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environment variables. Within days of the initial discovery and patching of Shellshock, intense scrutiny of the underlying design flaws discovered a variety of derivative vulnerabilities then present in Bash, which code-maintainers solved with a series of further patches.” “Stéphane Chazelas discovered the original bug on 12 September 2014 and suggested the name "bashdoor". The bug was assigned the CVE identifier CVE-2014-6271. Analysis of the source code history of Bash shows that the vulnerabilities had existed since approximately 1992.”

Before the Patch 2 In terminal Bash could be tested with: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" to see if the empty environment variable could be used unchallenged and thus print 'vulnerable' with the following 'this is a test' and then test with: TERM='() { :;}; echo U BEEN PWND' to see if TERM could also have an empty variable without showing an error statement.

Applying the Patch with Ubuntu 3 For Ubuntu using terminal enter: sudo apt-get update; upgrade After all that's done enter: bash --version And you should see for a 32-bit computer (among other lines): GNU bash, version 4.3.11(1)-release (i686-pc-linux-gnu)

Applying the Patch with OS X 4 The most useful patch, an unofficial one, came from Florian Weimer, a Red Hat employee but not from an employee of Apple. “Apple reaction to Bash exploit shows contempt for users” 03 October 2014, by Sam Varghese, published in Security (excerpt) 'Apple provided no detail about what it was patching. Nothing at all, apart from a terse statement: "This update fixes a security flaw in the bash UNIX shell." ' The system updater for Apple updates typically an iMac with OS X updates along with applications available from the Apple Store. However, the update needed for Bash isn't in that list and had to be obtained as follows: If using OS X 10.7 Lion, 10.8 Mountain Lion or 10.9 Mavericks (download respectively): http://support.apple.com/kb/DL1767 http://support.apple.com/kb/DL1768 http://support.apple.com/kb/DL1769 Once downloaded, locate the .dmg package in the Download folder and click it open to install.

5 Final Thoughts Users of computers must be vigilant and capable enough to learn enough to secure their computers. Linux users would do well to learn how to use Bash. Apple users are probably safe without the patch unless they use the Bash for a utility. Windows users of the Linux emulator cygwin probably already know that they have a problem patching Bash. Microsoft probably can wash its hands of the problem since cygwin isn't their product. However, the developers of cygwin should write a patch and make it available to Microsoft. Perhaps Microsoft would allow it to be signed and included with its regular “Patch Tuesday” of monthly patches.

Discussion about 'Shellshock' fixes--Ubuntu and OS X (discovery of specific vulnerabilities) This OpenOffice.org Presentation 'bashvul.odp' can be downloaded from http://madmod.com/freebies.html