Bash-pocalypse 2014!

Michael Wynholds ·

Hopefully by now everyone has heard about the Bash remote execution vulnerability, and is sufficiently terrified. We here at Carbon Five all use Macs, and so we are all by default vulnerable. Here are the steps we took to secure our computers. Maybe they can help you too.


NOTE: we all use Homebrew on our Macs as well, and these steps require it. If you don’t have Homebrew installed, you can get it here: http://brew.sh

Apply the fix:

%> brew update
%> brew install bash
%> sudo mv /bin/bash /bin/bash.orig
%> sudo mv /bin/sh /bin/sh.orig
%> sudo chmod a-x /bin/bash.orig /bin/sh.orig
%> sudo ln -s /usr/local/bin/bash /bin/bash
%> sudo ln -s /usr/local/bin/bash /bin/sh

Test the fix:

First you need to enter a new bash shell.

%> /bin/bash

Now run the test.

$> env x='() { :;}; echo vulnerable' bash -c 'echo hello'

You should see this output:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

Now exit out of your bash shell, enter a sh shell:

$> exit
%> /bin/sh

Now run the same test again, expecting the same output, and then exit out of your sh shell.

$> exit

Last, you must restart your computer!

You’re done, now feel the terror recede from your soul.

Final note to all – this set of steps was put together somewhat quickly. If you see any issues or problems, please add a comments and I will address and update this post as necessary. Thanks!

UPDATE: I previously had a second test to run in the directions, which tested for the second of the two recently discovered vulnerabilities in bash. Commenter mbrictson correctly pointed out that the second test showed Homebrew’s current version of bash to still be vulnerable to this second exploit. This means that after all of this you are still at some risk. So a little bit of the terror is sneaking back in. Stay tuned for further updates…

UPDATE 2: 9/28/2014 8:30pm PST – The latest version of bash from Homebrew, which reports itself as “GNU bash, version 4.3.27(1)-release (x86_64-apple-darwin13.4.0)”, seems to have patched all five vulnerabilities listed at https://shellshocker.net/. You can check your own system with the tests listed there.

Michael Wynholds
Michael Wynholds

Mike is the President and CEO of Carbon Five.