Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Finding the Shellshock Vulnerability with CloudPassage Halo

DZone's Guide to

Finding the Shellshock Vulnerability with CloudPassage Halo

· Cloud Zone
Free Resource

Site24x7 - Full stack It Infrastructure Monitoring from the cloud. Sign up for free trial.

A serious vulnerability, CVE-2014-6271, being variably referred to as Shellshock or Shellshocked, was just reported in the Bourne-Again Shell (bash) that affects most *NIX-based systems. Because the bash shell is so prevalent on *NIX systems, the vulnerability can be leveraged in many different ways to allow unauthorized access and modification of computers remotely. See the NIST vulnerability summary to learn more about this vulnerability and the systems it affects.

If you are a Halo user, you can quickly find out which of your servers have this vulnerability present using the newly-released Reports page in your Halo portal, or using the Halo API.

Using the Halo UI to find vulnerable servers

First, since this is a recently-released vulnerability, you’ll want to run a fresh scan on your servers from the snapshot page. Select all of your servers and click “Launch scan” from the Actions menu. Your scan should be completed within a few minutes.

launch new software scan cloudpassage halo

Once you have run your scans, navigate to the Reports page.

Search by CVE Reference Number - From the Search Criteria selector on the top right, enter CVE-2014-6271, and click submit. You’ll get a list of servers that found that vulnerability on their latest software scan.

shellshock on halo reports page

You can export these results as a PDF report or to a CSV file using the buttons on the top right of the search results. For more information about how to use the Reports page, please see our documentation.

Using the Halo API to find vulnerable servers

Again, since this is a recently-released vulnerability, you’ll want to run a fresh scan on your servers from the snapshot page, or run the script to launch new scans across all servers posted on GitHub.

Once your scans have completed, make this simple call:

GET https://api.cloudpassage.com/v1/servers?cve=CVE-2014-6271

Note: This call will only return active servers by default – to get servers in a different state like “deactivated”, specify the state (/v1/servers?state=deactivated&cve=CVE-2014-6271)

Your list of servers will be returned in JSON format. If you’d prefer the list of servers in CSV format, simply append .csv to “servers”:

GET https://api.cloudpassage.com/v1/servers.csv?cve=CVE-2014-6271

For more information about what filters are available for the servers endpoint, please see our API Documentation. If you have used the script on github to find vulnerable CVEs on your servers, you can still use that as well.

Site24x7 - Full stack It Infrastructure Monitoring from the cloud. Sign up for free trial.

Topics:

Published at DZone with permission of Tatiana Crawford, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}