Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: redDragonCup
redDragonCup Author
User level: Level 1
0 points

SSH into my Mac after shellshock patch

Hello,


I am one of the few people who was affected by the Shellshock bug on my mac. I run an Internet facing server off my 2008 iMac, that being said, the day Shellshock broke I disabled SSH on this server. Once Apple provided a patch, I promptly downloaded it and went on my way. I run this server using Mac OS X Server for a VPN, SSH access, and Websites using the built in websites provided by Mac OS X Server. After applying the Apple shellshock patch, VPN and Websites on the server still work as expected. SSH, however, does not. When I try to ssh into the machine, even from another machine on my home network let alone the Internet, the connection is refused. Running nmap on my server I can clearly see that port 22 is open, but just for thoroughness I have double checked my config in my router (an Airport Extreme box) and port 22 is indeed open and should be ready for business. The problem isn't with my DNS, as the VPN and Websites work as they did before. Does the shellshock patch simply kill any incoming SSH connection? If so, that is terribly shoddy work on Apple's part, and deviates sharply from the patch that was applied to the Linux/Unix world.


Not to sit here and throw apples (LOL) but why wasn't this patch made available via Software Update? Even if the vast majority of Mac users are not affected by this bug, making the world a more secure place by applying the patch anyway seems sensible to me. Unless, of course, it just knocks out incoming SSH connections to buy Apple some time while they figure out an actual patch...


Has anyone successfully SSH'ed into their Mac server after applying the shellshock patch?


Thanks!

iMac, OS X Mavericks (10.9)

Posted on Oct 14, 2014 7:27 PM

Reply
10 replies
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Oct 14, 2014 8:20 PM in response to redDragonCup

I can't answer your question directly as there are only top level descriptions of what was done, but I would be very surprised if they did anything other than use the patches provided by the bash community of developers and apply them to their version 3.2 as modified for each OS X. They also added an additional requirement for any accidental attempt to change the environment. If you have not read all that yet:

Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands


Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement.


This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state.


In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers.

Nothing in that writeup would indicate any changes to ssh and I can tell you from examining all the files installed with this update, they did not include ssh. The executables changed were:

  • /bin/bash
  • /bin/sh
  • /usr/bin/bashbug
Reply
User profile for user: redDragonCup
redDragonCup Author
User level: Level 1
0 points

Oct 15, 2014 7:13 AM in response to Linc Davis

I can connect to localhost via ssh, and I can also connect to my domain name while I am on the server itself...but that's it. If I use my laptop, which shares the wifi subnet with my server, the connection is denied. Ditto anything from the Internet. It looks like a router config issue, but port 22 is clearly open. Plus, since I'm on the same subnet when I use my laptop, it shouldn't even be hitting the router but it is still being refused a connection.

Reply
User profile for user: redDragonCup
redDragonCup Author
User level: Level 1
0 points

Oct 15, 2014 1:23 PM in response to Linc Davis

The screenshot was just showing the config for my Mac OS X firewall and that inbound SSH is allowed. Nothing earth shattering.


I can get on board with leaving the firewall off, because I am on a private network behind NAT, but I have a couple of questions. First, this obviously did work in the recent past. The only thing I've changed is the Shellshock patch, which wouldn't affect things like firewall rules. How could this have worked, pretty reliably for so long if the firewall would/should have prevented it? Second question: given that my firewall was configured to allow incoming SSH connections, why were connections from another host in the same private network refused? I'm starting to wonder if somehow my firewall on my iMac went wonky. Especially since it is and was configured to allow incoming SSH connections.


The private network is only touched by me, no one else, so the firewall in my Airport base station will keep the internet at large away from hacking my server, right? Just want to be sure, I've always left firewalls on, but I see why it isn't necessary. Thanks a lot for all your help Linc, would you mind just confirming this for my own sanity?

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Oct 15, 2014 1:37 PM in response to redDragonCup

Still no explanation for you but...

redDragonCup wrote:


The private network is only touched by me, no one else, so the firewall in my Airport base station will keep the internet at large away from hacking my server, right? Just want to be sure, I've always left firewalls on, but I see why it isn't necessary.

That's correct. NAT serves the same purpose as you computer's firewall, so they are totally redundant. You might even find your network / Internet access a few microseconds faster by having it off, but almost certainly not noticeable. For more see Do I need a firewall?.


It goes without saying your private network, if WiFi, needs to be protected by a strong WPA2 password.

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Oct 15, 2014 1:48 PM in response to redDragonCup

You could try removing the exception for SSH and adding it back. Otherwise, I don't know why it doesn't work. A bug, perhaps. As for the correct use of the firewall, see below.

This is a comment on why you might, or might not, want to use the built-in Application Firewall.

The firewall blocks incoming network traffic, regardless of origin, on a per-application basis. By default it's off, and when turned on, it allows applications digitally signed by Apple, and only those applications, to listen on the network. It does not block outgoing traffic, nor can it distinguish between different sources of incoming traffic, nor does it filter traffic by content.

No matter how it's configured, the firewall is not, as some imagine, a malware filter. If that's what you expect it to do, forget it. All it will do is bombard you with pointless alerts.

Consider some scenarios in which you may expect the firewall to be useful.

1. You enable file sharing, and you allow guest access to certain folders. That means you want people on your local network, but not outsiders, to be able to access those shared folders without having to enter a password. In the default configuration, the firewall will allow that to happen. The router prevents outsiders from accessing the shares, whether the application firewall is on or off. But if your computer is portable and you connect it to an untrusted network such as a public hotspot, the firewall will still allow access to anyone, which is not what you want. It does not protect you in this scenario.

2. You unknowingly install a trojan that steals your data and uploads it to a remote server. The firewall, no matter how it's configured, will not block that outgoing traffic. It does nothing to protect you from that threat.

3. A more likely scenario: The web browser or the router is compromised by an attacker. The attack redirects all web traffic to a bogus server. The firewall does not protect you from this threat.

4. You're running a public web server. Your router forwards TCP connection requests on port 80 to your Mac, and the connections are accepted by the built-in web server, which is codesigned by Apple. The application firewall, still configured as above, allows this to happen. An attacker hacks into the system and tries to hijack port 80 and replace the built-in web server with one that he controls. The good news here is that the firewall does protect you; it blocks incoming connections to the malicious server and alerts you. But the bad news is that you've been rooted. The attacker who can do all this can just as easily turn off the firewall, in which case it doesn't protect you after all.

5. You're running a Minecraft server on the local network. It listens on a high-numbered port. You, as administrator, have reconfigured the firewall to pass this traffic. An attacker is able to log in to a standard account on the server. He figures out how to crash Minecraft, or he just waits for you to quit it, and then he binds his own, malicious, Minecraft server to the same port. The firewall blocks his server, and because he's not an administrator, he can't do anything about it. In this scenario, the security is genuine.

6. Here is a more realistic scenario in which you might have reason to enable the firewall. Your MacBook has sharing services enabled. You want those services to be available to others on a home or office network. When you're on those networks, the firewall should be off. When you move to an untrusted network, you can either turn off all the services, or enable the firewall with a non-default configuration to block them. Blocking is easier: one click instead of several.

Reply

SSH into my Mac after shellshock patch

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up