Recently, I applied About OS X bash Update 1.0 to address CVE-2014-6271 and CVE-2014-7169, more commonly known as Shellshock. After applying, I ran Hanno Böck’s bashcheck script and was dismayed to discover my shell was still vulnerable to the exploit.
After reapplying the update and seeing the same lack of success, I naturally felt my iMAC problem was of sufficient urgency to immediately escalate to the Windows server support team. A Shane Golden on the team helped identify the version of bash after the update was not the expected GNU bash, version 3.2.53(1). Instead, and somewhat unexpectedly, I was at version 4.2.20. I received guidance that if I wanted MacOS support from the Windows server team in the future, I should stick with in-box software and updates, and was sent on my way.
My troubleshooting session with the Windows team helped me remember I became a user of the Hombrew, a Ruby based package manager for MacOS. It turned out when I transitioned from using GNU screen to tmux, I also upgraded GNU bash at the same time.
After unsuccessfully search Knowledge Cards for a solution I managed to sort out the issue and get my bash updated to a patched version by issuing the following commands:
brew update brew unlink bash brew install bash
After that, I was at GNU bash, version 4.3.28(1), and the bashcheck script provided the validation output I was hoping for:
Testing /usr/local/bin/bash ... GNU bash, version 4.3.28(1)-release (x86_64-apple-darwin13.4.0) Variable function parser pre/suffixed [%%, upstream], bugs not exploitable Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Found non-exploitable CVE-2014-6277 (lcamtuf bug #1) Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)