Shellshock (Bash vulnerability) audits with BSA, ADDM

Version 9

    Couple easy ways to scan your environment for the most recently reported BASH vulnerability, using BSA or ADDM.  (More as this


    develops, likely from Akbar Aziz or the usual suspects).

    Check out Neil Karani's comprehensive post here (with Zipkit): Addressing Shellshock Vulnerability using BSA!


    Now with Howto video! BladeLogic Shellshock Identification and Remediation - YouTube by our own Dan Herold.



    (-- image courtesy


    Video also attached for those who can't access YouTube.


    From Dan Herold:


    In the interim for your RedHat targets managed by BladeLogic, once you have updated your RedHat patch catalog you may create a RedHat Patch Smart Group with the condition:


    “Any Redhat Errata Where ??ERRATA_ADVISORY?? Contains RHSA-2014:129”


    Run a patch analysis (Analyze only updates for installed RPMs) against your target infrastructure including this Smart Group to quickly identify (and optionally remediate) those hosts affected by the bash exploit (which is likely all of them).


    From Max Skybin:



    I was just looking at that. You can use BSA to create a NSH script (wrapped in a Extended Object) that calls the following bash one-liner on remote system.


    I did the following on my Ubuntu server at home (same applies to RedHat, SuSe, etc, pretty much anything running bash).


    max@dev01:~$ env var='() { ignore this;}; echo vulnerable' bash -c /bin/true



    After patching the vulnerability, the same script returns an error


    bash: warning: var: ignoring function definition attempt

    bash: error importing function definition for `var'


    It should be trivial to create a compliance template in BSA that calls the extended object and produces audit report.


    The systems then can be patched using standard patch procedure in BSA after updating patch catalogs with the latest content from the vendors.


    From Raphael Chauvel:


    The ADDM team has planned a post later today where they will:

    - Detail how to use ADDM to identify vulnerable machines (that should just be a search string)



    This document was generated from the following discussion: Shellshock (Bash vulnerability) audits with BSA, ADDM