Finding the Shellshock Vulnerability with CloudPassage Halo

A serious vulnerability, CVE-2014-6271, being variably referred to as Shellshock or Shellshocked, was just reported in the Bourne-Again Shell (bash) that affects most *NIX-based systems. Because the bash shell is so prevalent on *NIX systems, the vulnerability can be leveraged in many different ways to allow unauthorised access and modification of computers remotely.

If you are a Halo CloudPassage user, you can quickly find out which of your servers have this vulnerability present using the newly-released Reports page in your Halo portal, or using the Halo API.

Using the Halo UI to find Shellshock vulnerable servers

First, since this is a recently-released vulnerability, you’ll want to run a fresh scan on your servers from the snapshot page. Select all of your servers and click “Launch scan” from the Actions menu. Your scan should be completed within a few minutes.

Screen-Shot-2014-09-25-at-10.20.19-AM-2

Once you have run your scans, navigate to the Reports page.

Search by CVE Reference Number – From the Search Criteria selector on the top right, enter CVE-2014-6271, and click submit. You’ll get a list of servers that found that vulnerability on their latest software scan.

Reportsscreen-2
You can export these results as a PDF report or to a CSV file using the buttons on the top right of the search results. For more information about how to use the Reports page, please see our documentation.

Using the Halo API and find Shellshock Vulnerability with CloudPassage

Again, since this is a recently-released vulnerability, you’ll want to run a fresh scan on your servers from the snapshot page, or run the script to launch new scans across all servers posted on GitHub.

Once your scans have completed, make this simple call:

Note: This call will only return active servers by default – to get servers in a different state like “deactivated”, specify the state (/v1/servers?state=deactivated&cve=CVE-2014-6271)

Your list of servers will be returned in JSON format. If you’d prefer the list of servers in CSV format, simply append .csv to “servers”:

For more information about what filters are available for the servers endpoint, please CloudPassages’s API Documentation. If you have used the script on github to find vulnerable CVEs on your servers, you can still use that as well.

[Source: blog.cloudpassage.com]