Shell-Shock – Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)

UPDATED : Video version of this blog…..found here… http://youtu.be/RDcIIyYK044

So this Shell-Shock stuff is hitting the press quite a bit!

Fncy finding out really quickly if your Red Hat Enterprise Linux 6.5 systems are patched correctly? Even if they are turned off right now? Wow that is clever not even the virtual infrastructure players can do that…I know…its cool. Here it is..

Using Cloudforms (or ManageIQ for FREE!) download this policy and import it into Control. Then assign the policy to your targets. The policy will only check Linux systems, though it could do with a makeover to check only RHEL 6.5 systems too.

Download and import the following policy profile – https://github.com/jonnyfiveiq/CloudFORMSNOW/blob/master/Policies/ShellShockPolicy.yaml

To note….the policy is valid for only the fix packages as defined in article https://access.redhat.com/articles/1200223 for RHEL 6.5 systems. Feel free to modify the policy to fit your needs and share with the community at talk.manageiq.org 

1. Ensure that your VM has a recent smart state scan completed successfully. You can check by clicking on the Configuration/Packages link as follows;

Screen Shot 2014-09-28 at 20.13.12

Search the list of packages for the “bash” package. Select the package and you will be presented something like the following;

Screen Shot 2014-09-28 at 19.59.53

Ok so we have confirmed we have package detail about bash in the VMDB for this virtual machine.

2. Assign the policy, you can assign the policy anywhere you like that has coverage of the test virtual machine.

Once assigned, simply click on a VM you wish to check and select the menu “Policy” and “Check Compliance”

Screen Shot 2014-09-28 at 20.09.52

You would have noticed that your Compliance status is probably as follows;

Screen Shot 2014-09-28 at 19.51.17

 

 

 

Once the compliance check is complete the compliance area of the screen will report how old the current report is.

Screen Shot 2014-09-28 at 20.18.54

Next, Click on the Status of the compliance to drill further into the detail;

Screen Shot 2014-09-28 at 19.57.16

As you can see the policy has fail compliance check.

Now we want to remediate the issue, and re-run the compliance check.

Screen Shot 2014-09-28 at 20.21.08

So I run a “yum update bash” and as you can see “4.1.2-15.el6_5.2” has been applied to my system, lets have cloudforms check against this now.

So, first run a smart state scan against your test virtual machine,

Screen Shot 2014-09-28 at 20.02.57

Once complete, run the compliance check once more on the virtual machine;

Screen Shot 2014-09-28 at 20.08.21

 

This time the compliance check passes, click on the status and drill further into the detail.

Screen Shot 2014-09-28 at 20.08.30

And as a last resort you can go back to the virtual machine and take a look at the package entry for “bash”

Screen Shot 2014-09-28 at 20.05.39

As you can see, Cloudforms has been updated with the latest rpm data from the yum update bash we ran.

So there you go, how simple is it to check for ShellShock using Cloudforms, really easy.

Thanks

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s