6 Replies Latest reply on Oct 8, 2014 9:35 AM by richard mcleod

    Shellshock (Bash vulnerability) audits with BSA, ADDM

    Sean Berry

      Couple easy ways to scan your environment for the most recently reported BASH vulnerability, using BSA or ADDM.  (More as this develops, likely from Akbar Aziz or the usual suspects).


      From Dan Herold:


      In the interim for your RedHat targets managed by BladeLogic, once you have updated your RedHat patch catalog you may create a RedHat Patch Smart Group with the condition:


      “Any Redhat Errata Where ??ERRATA_ADVISORY?? Contains RHSA-2014:129”


      Run a patch analysis (Analyze only updates for installed RPMs) against your target infrastructure including this Smart Group to quickly identify (and optionally remediate) those hosts affected by the bash exploit (which is likely all of them).


      From Max Skybin:



      I was just looking at that. You can use BSA to create a NSH script (wrapped in a Extended Object) that calls the following bash one-liner on remote system.


      I did the following on my Ubuntu server at home (same applies to RedHat, SuSe, etc, pretty much anything running bash).


      max@dev01:~$ env var='() { ignore this;}; echo vulnerable' bash -c /bin/true



      After patching the vulnerability, the same script returns an error


      bash: warning: var: ignoring function definition attempt

      bash: error importing function definition for `var'


      It should be trivial to create a compliance template in BSA that calls the extended object and produces audit report.


      The systems then can be patched using standard patch procedure in BSA after updating patch catalogs with the latest content from the vendors.


      From Raphael Chauvel:


      The ADDM team has planned a post later today where they will:

      - Detail how to use ADDM to identify vulnerable machines (that should just be a search string)



      Also tapping in Matthieu Laurenceau