Dealing with ShellShock on our older mac servers

We have a couple of machines that are still running Snow Leopard, so the Apple patch won’t work. One option is to recompile bash and its patches from source, but why do that when I already have MacPorts on those machines.

Testing the vulnerabilities

From Stack Exchange, there are multiple vulnerabilities:
The first one is tested with this:
$env x='() { :;}; echo vulnerable' bash -c 'echo hello'
if the shell is vulnerable, it will echo vulnerable and hello. Otherwise it just echoes hello.

A second vulnerability is tested with
$env X='() { (a)=>\' sh -c "echo date"; cat echo
if you’re OK, you will see something like
cat: echo: No such file or directory

sh: X: line 0: syntax error near unexpected token `='
sh: X: line 0: `X () { (a)=>\'
sh: error importing function definition for `X'
cat: echo: No such file or directory

The important thing is that you don’t want to see an actual date and a file created called echo.

The third vulnerability redefines the ls command
$ env ls="() { echo 'Game over'; }" bash -c ls
Vulnerable systems will echo Game over.

Installing the fix

Getting it installed is easy after updating to the latest versions of the ports
sudo port selfupdate
sudo port upgrade outdated
sudo port install bash

But this only applies the MacPorts bash for the user. To make it the default, we have to make it the default shell for an intruder. To do this we need to edit /etc/shells to replace /bin/bash with /opt/local/bin/bash.

I think this is enough. But I still have some concerns. The bash version in MacPorts seems to be 4.3.28. Apple’s official release after the patch is 3.2.53 (apparently this is equivalent to 3.2.54 in terms of patches). The MacPorts version is still vulnerable to the second problem. I’ll be watching MacPorts for updates, but I am also looking at whether the machines, which are too old for Mavericks, can be updated to Lion or Mountain Lion.

Update: MacPorts pushed another bash update over the weekend