I know a lot of you today are desperately waiting for Shellshock BASH content in Bigfix. As a stopgap, here’s at least some analysis that will collect Bash versions on your non-windows systems. I will update this thread (as I hope others do) with more info/relevance to help others while we wait for IBM’s content. Here’s an analysis you can add to collect RPM based BASH Versions:
Set analysis to be relevant to all os’s that don’t contain “win”. OS does not contain win (in the pull down menus).
We made 2 properties for now, working on Mac, Solaris and others. Please add your relevance to this thread for the others and I will do the same as we create them. This obviously is just a stop gap measure to at least collect some version info of bash while awaiting better stuff from IBM, hopefully today
Ubuntu: Under properties tab, add a new one called BASH-UBUNTU. In the relevance paste:
(if exists (package “bash” of debianpackage as string) then (version of package “bash” of debianpackage as string) else “NA”)
RPM based: Under the properties tab, add a new one called BASH-RPM Based, in the relevance paste:
if exists (package “bash” of rpm as string) then (version of package “bash” of rpm as string) else “NA”
Solaris:
(if exists (pkginfo “SUNWbash” of pkgdb as string) then (version of pkginfo “SUNWbash” of pkgdb) else “Not Installed”)
Here’s one for most Linux OS’s (minus mac) in one single property:
if name of operating system contains “Linux” and name of operating system does not contain “Ubuntu” then (if exists (package “bash” of rpm as string) then (version of package “bash” of rpm as string) else “Not Installed”) else if name of operating system contains “Ubuntu” then (if exists (package “bash” of debianpackage as string) then (version of package “bash” of debianpackage as string) else “Not Installed”) else if name of operating system contains “SunOS” then (if exists (pkginfo “SUNWbash” of pkgdb as string) then (version of pkginfo “SUNWbash” of pkgdb) else “Not Installed”) else “N/A”
IBM just released content a few hours ago. There’s an action in the fixlets area (search for Shellshock) that you can assign to all non-windows systems. It writes a file called “isBashVulnerable.txt” to the root directory of the agent folder and then you can activate an analysis 1829 “Shell Shock Bas Vulnerability (CVE-2014-7169) Status” that parses this file and reports a computer property if they system is vulnerable. I also saw some RedHat patches as actual fixlets come out at the same time.
In the mean time here’s a good 13 minute SANS video educating about what Shell Shock is, how it’s exploited, how to detect and what the risks and recommendations are.
There is a problem with the analysis and task that IBM has released. After patching we re-ran the task to test the vulnerability. The test still comes up positive for the vulnerability and I think it has to do with the logic of the task. In the task, it runs the following script:
The problem is that the highlighted lines of the script are indicating the vulnerability still exists because they are treating echo like a command line command instead of a bash command. So the script still prints the word “vulnerable” in the outputFile which is what the analysis is looking for to indicate vulnerability. The task produces a false positive and, therefore, is not reliable. Looks like IBM didn’t think this one through or test it enough before pushing it out.
All that being said, it should be noted that I am not an expert on bash scripting or *NIX in general. But I removed the second echo in the statement and it came up as “Not Vulnerable”. I think this is because “vulnerable” is not a CLI command either so it produced an error rather than writing “vulnerable” to the file.