Checking Shellshock and Aftershock status on Linux

Version 3

    (Now with ZipKit!  Thanks to the team at a major nonspecific customer in New Jersey!)


    This article shows how to leverage extended objects and compliance-based audits to validate status of shellshock and aftershock on Linux systems. This test is good to run after you patched your systems to make sure the vulnerabilities have been addressed. It attempts to inject commands that exploit bash vulnerabilities and flags them in a compliance job run.




    1. Create detection script on a server in convenient location on a server, i.e /shellshock/

    # Shellshock (CVE-2014-6271) and Aftershock (CVE-2014-7169) detection script
    # Update Fri Sep 26 16:52:58 EDT 2014 - fixed a bug with aftershock false positive detection
    # Update Sat Sep 27 20:28:22 EDT 2014 - fixed another bug that caused aftershock false positive in situations where script has been previously ran on a system
    # This script is specific to RPM-based systems, although it can easily be adapted to any *nix system
    #bash --version | head -1
    rpm -q bash 2>/dev/null
    SHELLSHOCK=`env x='() { :;}; echo true' bash -c "" 2>/dev/null`
    AFTERSHOCK=`env var='() {(a)=>\' bash -c "echo date | grep -v date" 2>/dev/null; cat echo 2>/dev/null; rm echo 2>/dev/null`
    if [ -n "$SHELLSHOCK" ]
      echo "CVE-2014-6271 vulnerability detected";
    if [ -n "$AFTERSHOCK" ]
      echo "CVE-2014-7169 vulnerability detected";

    2. Create BLPackage to deploy the detection script to target servers


    3. Deploy the script it to target Linux servers with a deploy job


    4. Create extended object that calls the script with Remote execution


    5. Check results of the extended object execution in Live Browse. Vulnerable hosts will show one or both of CVE vulnerabilities.


    6. Create compliance template based on the Shellshock extended object

    6.1. In General Section, enable Discover, Browse, Snapshot, Audit and Compliance


    6.2. In Parts section, add the two entries for CVE vulnerabilities


    6.3. In Rules section, create two rules for CVE extended object items NOT to exist


    7. Create Component Discovery Job

    7.1. In Component Templates section, choose Shellshock Detection Component Template


    7.2. In Targets section, choose target servers


    8. Run the component discovery job and confirm that components have been created successfully


    9. Run compliance job against targets servers and review results. Vulnerable servers will be flagged as non-compliant against one or both vulnerabilities.