Jump to content
Just visiting?

Bug in Bash Shell

Xann

By Xann
in Tech Room

 Share

Recommended Posts

Xann Grand Master

Xann

Posted
Posted

This means little to me, but here you go...

 

A security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, could leave systems running those operating systems open to exploitation by specially crafted attacks. “This issue is especially dangerous as there are many possible ways Bash can be called by an application,” a Red Hat security advisory warned.

 

Software vulnerable to attacks include:

  • Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
  • CentOS (versions 5 through 7)
  • Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
  • Debian

Clicky

 

  • Like 1
Link to comment
Share on other sites
darrenm Rising Star

darrenm

Posted
Posted

Not sure the attack vector is quite as wide as they make out, it seems it's mainly Apache with CGI configured that's at risk. But like with heartbleed they seem to be quite alarmist to make sure people patch their systems quickly.

Link to comment
Share on other sites
blandy Grand Master

blandy

Posted
  • Moderator
Posted

All my debian and *buntu systems patched bash a couple of days ago.

 

I'm much more worried about how long this will take to patch on Solaris and MacOS machines.

With Mac OS X, systems are according to Apple, safe by default and not exposed to remote exploits of bash unless users configure their Mac to use the Xcode programming environment, when there is a susceptibility.

As with Linux etc. then it can be fixed via instructions [not quoted because it's a mahoosive stream of techy gobbledegook]

 

I guess a software update will come out anyway to remove the susceptible version of bash from Mavericks and before, for the Xcode users.

Link to comment
Share on other sites
limpid Grand Master

limpid

Posted
  • Administrator
Posted

It took two clicks on my linux desktops (which have the exact same attack vectors as MacOS) and two commands on the servers.

 

Why do Mac users have to put up with all this terminal window crap and having to enter commands? I remember when Linux used to be like that.

  • Like 1
Link to comment
Share on other sites
blandy Grand Master

blandy

Posted
  • Moderator
Posted

It took two clicks on my linux desktops (which have the exact same attack vectors as MacOS) and two commands on the servers.

 

Why do Mac users have to put up with all this terminal window crap and having to enter commands? I remember when Linux used to be like that.

Look at any Linux help forum, and it's full of "you need to type the following into terminal" [to get a driver or whatever]. Even for the most recent releases and LTS versions.

So users of Linux do need to use terminal far more than on a Mac (which is never, if you just use the Mac as a desktop computer for normal stuff - the only time anyone needs to is if they use Xcode, or if they just fancy doing so, to learn). That said, Apple could perhaps do a software update for the geeky people who use Xcode and do it a bit quicker. But then again, Bash on the mac is controlled under a different license, and has allegedly been tweaked by Apple, so it's not the same, exactly as the Linux version anyway.

I think from reading about it, that Macs don't work the same as linux in that the bash isn't exposed by default, and exposing it would require turning on a web server for example, or the other thing would be if you enabled remote logins (and set up port forwarding on your router). So most Mac users don't have to put up with "all this terminal window crap". They're not affected.

It's a different way of operating - not better or worse, but with different circs.

I have a linux PC, too. And Linux doesn't seem to segregate things in the same way - which means that it's more variably configurable and less kind of "straight lines" as to how to operate or set it up, but Macs control more what the user can do, but with the ability (via Xcode) to also use the UNIX core part outside the kind of normal user way. It's a different philosophy. Judging one OS by the other's standards is kind of missing the point to a degree.

If Linux suits better, then go with that. It's less "shiny and gorgeous" to look at and a bit more clunky in the way it does some stuff, but it has more flexibility.

 

Is Android affected, or Google OS - they have bash, too, don't they?

Link to comment
Share on other sites
limpid Grand Master

limpid

Posted
  • Administrator
Posted

 

It took two clicks on my linux desktops (which have the exact same attack vectors as MacOS) and two commands on the servers.

 

Why do Mac users have to put up with all this terminal window crap and having to enter commands? I remember when Linux used to be like that.

Look at any Linux help forum, and it's full of "you need to type the following into terminal" [to get a driver or whatever]. Even for the most recent releases and LTS versions.

I've installed Linux onto three desktops and four laptops in the last few months (various age hardware mainly Dell), I haven't had to do any of that.

 

What kind of things use drivers nowadays? I suspect you've been looking at unusual requests or support for old hardware. I don't believe from my own experience that this is typical. The fact that people ask for help on forums is because they have problems, people don't post "installed perfectly, no issues" threads. It's often easier to give people commands to run to A) establish more detail and B) provide a fix pending a new package version. It's also often easier to run a command or two than to go through multiple dialogues in a GUI.

 

So users of Linux do need to use terminal far more than on a Mac (which is never, if you just use the Mac as a desktop computer for normal stuff - the only time anyone needs to is if they use Xcode, or if they just fancy doing so, to learn). That said, Apple could perhaps do a software update for the geeky people who use Xcode and do it a bit quicker. But then again, Bash on the mac is controlled under a different license, and has allegedly been tweaked by Apple, so it's not the same, exactly as the Linux version anyway.

So a vague appeal to "some people use a terminal" equates to "all Linux users need to use a terminal"? That's some conflation there and demonstrably false. Especially when Dell (and others) sell several models with Linux pre-installed, which don't ship with "driver disks".

 

I think from reading about it, that Macs don't work the same as linux in that the bash isn't exposed by default, and exposing it would require turning on a web server for example, or the other thing would be if you enabled remote logins (and set up port forwarding on your router). So most Mac users don't have to put up with "all this terminal window crap". They're not affected.

It's a different way of operating - not better or worse, but with different circs.

 

This is nonsense. It appears likely that some web servers have a higher threat profile to this bug, but the risk of this bug to MacOS was identical to that of Linux. It's part of what they have in common.  I guess you read this on sites "geeky people" wouldn't read.

 

Just so that you know, a terminal window in MacOS is the same as a terminal window in Linux. They both run bash. Both OSes will run any script starting with the "geek code" #!/bin/bash" using bash. It's unavoidable.

 

I have a linux PC, too. And Linux doesn't seem to segregate things in the same way - which means that it's more variably configurable and less kind of "straight lines" as to how to operate or set it up, but Macs control more what the user can do, but with the ability (via Xcode) to also use the UNIX core part outside the kind of normal user way. It's a different philosophy. Judging one OS by the other's standards is kind of missing the point to a degree.

If Linux suits better, then go with that. It's less "shiny and gorgeous" to look at and a bit more clunky in the way it does some stuff, but it has more flexibility.

MacOS users can do as much to their OS as Linux users. The fact you don't know this makes it more likely that you could be tricked into letting malware infect your machine as you think you are safe.

 

I happen to think my KDE desktop is better looking than the restricted and restricting MacOS window manager, but as you say, that's a personal choice. Nothing is clunky and everything just works, including the much faster delivery of patches for fundamental security flaws.

 

The guy that sits next to me at work uses a Mac. If I thought it was better, I'd use one too (work let us choose whatever platform we like). He says he only uses it because he's locked in to the Apple ecosystem.

 

Is Android affected, or Google OS - they have bash, too, don't they?

For Android I have no idea, but stock won't let you get to bash as you don't have the ability to escalate your privileges to run arbitrary code (and you can't open a terminal). GoogleOS patches itself, but I suspect it's not vulnerable for the same reason.

Link to comment
Share on other sites
blandy Grand Master

blandy

Posted
  • Moderator
Posted

I've installed Linux onto three desktops and four laptops in the last few months (various age hardware mainly Dell), I haven't had to do any of that.

 

What kind of things use drivers nowadays? I suspect you've been looking at unusual requests or support for old hardware. I don't believe from my own experience that this is typical. The fact that people ask for help on forums is because they have problems, people don't post "installed perfectly, no issues" threads. It's often easier to give people commands to run to A) establish more detail and B) provide a fix pending a new package version. It's also often easier to run a command or two than to go through multiple dialogues in a GUI.

Look at any Linux help forum, and it's full of "you need to type the following into terminal" [to get a driver or whatever]. Even for the most recent releases and LTS versions.

I had to get realtek network drivers for 2 different computers. The only way to stop the wi-fi from constantly dropping out on HP machines was to do this. In the end I had to remove Mint and install Ubuntu, because in linux mint the drivers were pants, frankly. Not for old hardware either. Maybe you're just unaware of some of the issues with installing issues on certain PCs, even when the manufacturers claim they work fine with Linux (yes I can condescend, too).

e.g. problem and advice - Mint, ditto ubuntu - these were the first 2 google hits for wi-fi problems with the PC.

As you say yourself, Linux users, when they have a problem are advised to visit the forums for their Linux release. They often if not most of the time propose a terminal based action. Which is exactly my point - that almost never happens for Mac users, certainly it's a lot less common.

 

So a vague appeal to "some people use a terminal" equates to "all Linux users need to use a terminal"? That's some conflation there and demonstrably false.

Where have I said that. I haven't, I said "So users of Linux do need to use terminal far more than on a Mac". We have them at work, I have one here, Terminal is a useful tool and more so (as in more often) on Linux.

 

It appears likely that some web servers have a higher threat profile to this bug, but the risk of this bug to MacOS was identical to that of Linux. It's part of what they have in common.

It's not an identical risk though is it? Apple doesn't use so many /etc/ scripts to perform services in the way linux does. Mac uses launchd, that works off of a much more to-the-point XML config.

 

The DCHP server attack is only possible if the DHCP client uses Bash scripts, which the OSX implementation does not.

Are these statements false?

 

Just so that you know, a terminal window in MacOS is the same as a terminal window in Linux. They both run bash. Both OSes will run any script starting with the "geek code" #!/bin/bash" using bash. It's unavoidable.

While Terminal is the same (yes I knew) but the way bash is used and called up is not. That's the point. MacOSX does not use bash as freely to perform tasks. Mavericks is susceptible but ONLY IF the user sets their Mac up to use X code, or be operated remotely - for the same reason you give for chrome - the computer in standard mode doesn't let bash be got to,  because it isn't utilised by Apps and the OS as much or in the same ways as on Linux. Is that untrue?

I know Mac users can do as much as Linux users. The point was that the Mac OS discourages them from doing so. My perception is that the Terminal is much more central to the Linux distress than it is to Mac - it goes back to the help forums point, really and my own experience with them (Linux computers). I don't do software it for a job like you, and I don't claim remotely to have your level of understanding of Linux. I'm reasonably handy with a Mac, but again, it's not my job. I'm a hardware/systems engineer.

 

There's things that annoy me about Macs and apple - but his isn't one of them.

Link to comment
Share on other sites
limpid Grand Master

limpid

Posted
  • Administrator
Posted

I've installed Linux onto three desktops and four laptops in the last few months (various age hardware mainly Dell), I haven't had to do any of that.

 

What kind of things use drivers nowadays? I suspect you've been looking at unusual requests or support for old hardware. I don't believe from my own experience that this is typical. The fact that people ask for help on forums is because they have problems, people don't post "installed perfectly, no issues" threads. It's often easier to give people commands to run to A) establish more detail and B) provide a fix pending a new package version. It's also often easier to run a command or two than to go through multiple dialogues in a GUI.

Look at any Linux help forum, and it's full of "you need to type the following into terminal" [to get a driver or whatever]. Even for the most recent releases and LTS versions.

I had to get realtek network drivers for 2 different computers. The only way to stop the wi-fi from constantly dropping out on HP machines was to do this. In the end I had to remove Mint and install Ubuntu, because in linux mint the drivers were pants, frankly. Not for old hardware either. Maybe you're just unaware of some of the issues with installing issues on certain PCs, even when the manufacturers claim they work fine with Linux (yes I can condescend, too).

e.g. problem and advice - Mint, ditto ubuntu - these were the first 2 google hits for wi-fi problems with the PC.

As you say yourself, Linux users, when they have a problem are advised to visit the forums for their Linux release. They often if not most of the time propose a terminal based action. Which is exactly my point - that almost never happens for Mac users, certainly it's a lot less common.

 

I don't understand your point here. People who have problems ask for help and someone asks them to post the output of a command. When you have a problem with your Mac, what do you do?

 

It appears likely that some web servers have a higher threat profile to this bug, but the risk of this bug to MacOS was identical to that of Linux. It's part of what they have in common.

It's not an identical risk though is it? Apple doesn't use so many /etc/ scripts to perform services in the way linux does. Mac uses launchd, that works off of a much more to-the-point XML config.

 

The DCHP server attack is only possible if the DHCP client uses Bash scripts, which the OSX implementation does not.

Are these statements false?

What do you think those "to-the-point" XML configs cause to be run? Bash scripts, the same bash scripts which are run to start services on Linux boxes. Why are you handing out marketing drivel as facts?

I don't understand the relevance of DHCP servers when we are discussing desktops, but yes a Linux DHCP server would have an increased attack surface with this bug. There are incredibly few MacOS DHCP servers or web servers so it's not really relevant. Regardless, it's a two command fix on DEB systems and a single command on RPM systems. It's an important bug so it got fixed very quickly.

 

Just so that you know, a terminal window in MacOS is the same as a terminal window in Linux. They both run bash. Both OSes will run any script starting with the "geek code" #!/bin/bash" using bash. It's unavoidable.

While Terminal is the same (yes I knew) but the way bash is used and called up is not. That's the point. MacOSX does not use bash as freely to perform tasks. Mavericks is susceptible but ONLY IF the user sets their Mac up to use X code, or be operated remotely - for the same reason you give for chrome - the computer in standard mode doesn't let bash be got to,  because it isn't utilised by Apps and the OS as much or in the same ways as on Linux. Is that untrue?

Save this in a file (the # must be the very first character in the file), make it executable and run it. If it displays "Hello World" then MacOS launches bash exactly the same way that Linux does. If it doesn't I'll take this back. Of course, if it doesn't, why would Apple even include it rather than one of the smaller, more secure shells like dash?

#!/bin/bash
echo "Hello World"
Link to comment
Share on other sites
limpid Grand Master

limpid

Posted
  • Administrator
Posted

Actually, none of this is the point.

 

There is a bad bug in the code. The code has been patched upstream. Why haven't Apple released a patch? From outside I can't see any reason other than to protect the marketing myth they've created that MacOS is not vulnerable to problems like this.

Link to comment
Share on other sites
blandy Grand Master

blandy

Posted
  • Moderator
Posted (edited)

I don't understand your point here. People who have problems ask for help and someone asks them to post the output of a command. When you have a problem with your Mac, what do you do?

Ask - maybe on the Apple support forum. But I don't need to go into terminal. Forums don't ask me to, Apple doesn't ask me to. I don't need to. That's a/the difference, that's my point about Linux users (of which I am one) using terminal more. Which is fine and (I thought) uncontentious.

We've gone off topic, anyway. I like Linux, I'm not knocking it. There are pros and cons. Speedier releases of fixes for problems is a pro. Great. Apple are a bit paranoid at times, and maybe that is a marketing thing, I dunno. I don't really care tbh.

Does the bash issue render my Mac in the way I use it susceptible? - not as far as I'm advised (see Darren's post above as well). Maybe that's wrong advice from Apple and others.

It's not used as a server, sharing is off in system preferences, it's not set up to use Xcode, nor is it set to allow remote access.

When a fix comes along I'll install it. It won't be long. Longer than you or I would like, maybe.

Still the problem's only been around for 20 odd years, apparently.

 

edit - You can get the MavericksMountain Lion, and Lion versions of the patch manually from Apple's software downloads site.

Edited by blandy
added fix links
  • Like 1
Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...
Â