{"id":32071,"date":"2014-09-26T18:00:40","date_gmt":"2014-09-27T01:00:40","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=32071"},"modified":"2014-10-02T20:03:00","modified_gmt":"2014-10-03T03:03:00","slug":"shellshock-vulnerability-what-mac-os-x-users-need-to-know","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/shellshock-vulnerability-what-mac-os-x-users-need-to-know\/","title":{"rendered":"Shellshock Vulnerability: What Mac OS X Users Need to Know"},"content":{"rendered":"

\"Shellshock<\/a>The vulnerability is called Shellshock, and it has rocked the security industry to its core. A flaw\u00a0in the \u201cBash\u201d shell\u2014the command line interpreter for Unix-based systems including Linux and Mac OS X\u2014has sent server administrators scrambling to patch their systems.<\/p>\n

Security experts are saying this vulnerability is as dangerous, if not more so, than the Heartbleed flaw found in OpenSSL software<\/a>\u2014an encryption service used by around two-thirds of websites to protect information sent to and from web pages\u2014back in April. The Shellshock flaw affects the Bash shell used across many Unix-based systems including Mac OS X and variants of Linux.<\/p>\n

The Shellshock vulnerability (CVE-2014-6271<\/a>,\u00a0CVE-2014-7169<\/a>) has been compared to Heartbleed, partly because the software at the heart of the \u201cShellshock\u201d bug, known as Bash, is also widely used in web servers and other types of computer equipment.<\/p>\n

With Heartbleed<\/a>, somebody could grab credentials of a user and do what they wanted with it; however, the bug only allowed an attacker to steal data. But with Shellshock, if someone is vulnerable, an attacker could insert malicious pieces of code from a remote location and get full system control of a victim\u2019s machine.<\/p>\n

Fortunately, the Shellshock vulnerability is unlikely to affect as many systems as Heartbleed, because not all computers running Bash can be exploited.<\/p>\n

How to tell if your Mac is vulnerable<\/h3>\n

If you have a Mac OS X or Linux system, open the Terminal and run this line of code:<\/p>\n

env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'<\/strong><\/pre>\n
If it returns the word \u201cvulnerable\u201d as an answer, then your machine is in theory vulnerable.<\/p>\n
\"Mac<\/a><\/p>\n
Here\u2019s what that means, as mentioned over at Engadget<\/a>:<\/p>\n
Your Bash shell is simply running more code after a function (the \u201c() { :;};\u201dpart), and that shouldn\u2019t be happening. The function is the \u201callowed\u201d code, while everything after it is where the potentially \u201cmalicious\u201dcode could be installed.<\/p><\/blockquote>\n
But\u2014this is important\u2014if your Mac is \u201cvulnerable,\u201d all this means is that your default shell is Bash. The only way for infections to occur is by exposing this vulnerability on a Mac.<\/p>\n
If someone were to write an app that contained the exploit, a user downloaded the app, bypassed Gatekeeper (it would have to be an unsigned, unsandboxed app) and ran the app anyway, then yes\u2014a Mac user could potentially get malware this way.<\/p>\n
What exposes your Mac to Shellshock<\/h3>\n
There are two routes to exposing this vulnerability to a remote attack on a Mac:<\/p>\n
Route 1<\/strong><\/p>\n
    \n
  1. Go into System Preferences >\u00a0Sharing and turn on Remote Login<\/li>\n
  2. In the same location, turn on All Users<\/li>\n
  3. Go into System Preferences >\u00a0Users & Groups and make sure Guest Access is enabled<\/li>\n<\/ol>\n
    Your system is now vulnerable. If you don\u2019t enable guest access your system is still vulnerable if the attacker knows or is able to guess your username and password. But as this connection is secured, they can\u2019t get that from packet sniffing. And enabling a guest shell on a box is probably not the most secure thing to do anyway.<\/p>\n
    Route 2<\/strong><\/p>\n
    This route requires OS X Server, an old (Lion or earlier) version of OS X, or for the user to install Apache\/PHP\/some other scripting environment.<\/p>\n
      \n
    1. Enable Apache and have it running<\/li>\n
    2. Enable Apache to run scripts or execute extensions<\/li>\n
    3. Have one of those scripts or extensions vulnerable to malicious attacking (being able to inject something into the script that gets executed)<\/li>\n<\/ol>\n
      The attacker can then insert the variables into the script or extension that gets run under the Bash shell, then the injection gets into the Shellshock vulnerability, and voila\u2014machine compromised. This one, however, requires exploiting two holes. First, in the script running on Apache, and then in turn using that compromised script to send something to the Bash shell.<\/p>\n
      What this means\u00a0<\/strong><\/p>\n
      As you can see, these are both edge cases. And both routes probably require a level of technical expertise that the person configuring their account as such can patch the exploit fairly simply.<\/p>\n
      Also note that for route 1, enabling a Bash shell with Guest access for remote login most likely opens up your system to many other possible attacks. The difference Shellshock provides is access to root privileges, in other words full machine access to said Guest user.<\/p>\n
      The bigger issue is all the devices with embedded Unix, where telnet (unsecured) access is enabled, and no login is required. These typically are \u201cThe Internet of Things\u201d (IoT) devices. Even if they require an administrator password other then \u201cAdmin\u201d to get change settings, Shellshock may now give the attacker root to do whatever they want on the device.<\/p>\n
      What can an attacker do to your Mac?<\/h3>\n
      Basically, an attacker can run code by simply asking for basic information from your computer, a server or an IoT device. “The remote execution (over the Internet or a network) of extra code could let an attacker load malware on a system and steal private information, delete files, activate your camera, open a lock and, well, do pretty much anything with a little know-how,” mentioned\u00a0Jose Andrade at Engadget<\/a>.<\/p>\n
      However, the Engadget article also mentions \u201cyour computer is most likely unaffected\u201d if you are running a firewall that blocks external requests not initiated locally by the software already authorized to run. This suggests that if a Mac is running firewall software, such as Intego NetBarrier<\/a>, it has not been proven possible to take advantage of the bug under that scenario.<\/p>\n
      Unfortunately, the Bash Shellshock bug is wormable, and can easily worm past firewalls and infect lots of systems, according to Robert Graham at Errata Security<\/a>. Robert explained:<\/p>\n
      \u201cOne key question is whether Mac OS X and iPhone DHCP service is vulnerable \u2013once the worm gets behind a firewall and runs a hostile DHCP server, that would be \u2018game over\u2019 for large networks.\u201d<\/p><\/blockquote>\n
      And, worse, protecting a server is\u00a0another issue but different, because a server must listen to requests in order to do its job. Engadget’s Jose Andrade provided a good overview of this problem:<\/p>\n
      This means that by requesting almost any data and running malicious code, an attacker can infect any affected server, which is about 60 percent of web servers out on the internet, most routers (even your home router) and many consumer devices (including security cameras and “smart” appliances — which don’t seem so smart right about now). This is because smart appliances are a form of servers.<\/p><\/blockquote>\n
      Have hackers figured out how to exploit the Shellshock vulnerability?<\/h3>\n
      With the media spotlight on the Shellshock vulnerability, in just one day after discovery, hackers have most likely\u00a0figured out how to exploit it. Intego has seen proof-of-concept exploits so far on Mac OS X, and we are continuing to research this threat and will continue to provide updates as new information becomes available.<\/p>\n
      How can the Shellshock vulnerability be resolved?<\/h3>\n
      In a statement to iMore<\/a>, an Apple representative disclosed the following:<\/p>\n
      The vast majority of OS X users are not at risk to recently reported Bash vulnerabilities.\u00a0Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.<\/p><\/blockquote>\n
      According to Apple, there is a patch coming soon for Mac users who could be exposed.<\/p>\n
      What can you\u00a0do to stay protected?<\/h3>\n
      Until Apple patches this hole, which they no doubt will, you can take a few simple steps to make sure you\u2019re not exposed:<\/p>\n
        \n
      1. Don\u2019t enable Guest Access AND at the same time enable All Users for Remote Login.<\/li>\n
      2. Don\u2019t run a Web server on your personal machine.<\/li>\n
      3. Have a strong password on your Account.<\/li>\n
      4. Keep Gatekeeper turned “On.”<\/li>\n
      5. Only install or run signed Apps from trusted sources.<\/li>\n
      6. For extra protection install a Firewall, such as\u00a0Intego NetBarrier<\/a>.<\/li>\n<\/ol>\n
        UPDATE:\u00a0Apple\u2019s OS X Bash Update 1.0 Patches Shellshock Vulnerability<\/a><\/strong><\/p>\n
        Also remember, these are probably good security rules to adhere to even after Apple patches this hole, just to insure you don\u2019t fall victim to the next one yet\u00a0be discovered.<\/p>\n
        Where to get more information<\/h3>\n
        US-CERT<\/a> recommends Mac OS X users (and pretty much anyone concerned about the flaw) seek\u00a0help from the Redhat Security Blog<\/a>, or consult their respective Linux or Unix operating system vendor for advice.<\/p>\n","protected":false},"excerpt":{"rendered":"
        The vulnerability is called Shellshock, and it has rocked the security industry to its core. A flaw\u00a0in the \u201cBash\u201d shell\u2014the command line interpreter for Unix-based systems including Linux and Mac OS X\u2014has sent server administrators scrambling to patch their systems. Security experts are saying this vulnerability is as dangerous, if not more so, than the […]<\/p>\n","protected":false},"author":4,"featured_media":32125,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190,151,5],"tags":[3151,1468,1465,1474,309,174,80,1462,1471,144],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n