PowerCLI and the Linux Shellshock vulnerability

With all the fuss going round about the latest Linux vulnerability you will probably get a request from your local Security Officer to produce a report which of your Linux systems are vulnerable to the Shellshock bug. And, seen there are already several known exploits, who can blame him for asking such a report.

shellshock-main

Since a lot of these Linux boxes are running under vSphere, we can use PowerCLI to produce such a report. The Invoke-VMScript cmdlet is the vehicle I use in the following function. With the Invoke-VMScript cmdlet it is very easy to execute, what is considered the best test to check for the vulnerability.

Update2 September 29 2014: the 2nd test from the Shellshocker gives a syntax error. The test is replaced by the one found on Michael Boelen‘s website in How to protect yourself against Shellshock Bash vulnerability. Big thanks to Wil van Antwerpen for the pointer.

Update1 September 29 2014: the function was updated to include tests for most of the known Shellshock vulnerabilities. The tests were collected from the Shellshocker site.

The Linux Shellshock Bug

The Shellshock, or Bash Bug, is a security issue in the Unix Bash shell. With specially crafted environment variables, a hacker can have malicious code executed on a Linux system.

Seen the widespread use of the Bash Shell, the risk imposed by this bug can not be underestimated.

The Script

Annotations

Line 23-26: The function supports two parametersets, Location and VM
Line 31-36: The tests that are executed inside the Linux OS to determine if the guest OS is vulnerable to any of the known vulnerabilities. Tests 1,3 and 4 come from the Shellshocker website.
Line 33: Test 2 comes from the Linux Audit website
Line 43: The function currently only looks at Red Hat and SUSE systems, since these are currently the only ones I have to test. If someone needs to include other Linux distros, please contact me, and I can update the function.
Line 46-53: A simple implementation of Object By Name
Line 60: All the tests in the $exploits hash table are executed
Line 61-78: The Try part will use Invoke-VMScript to execute the test the vulnerability inside the guest OS. The Catch parts provide more information why a call to Invoke-VMScript might have failed. The last Catch code block is the “catch-all”.
Line 81-91: The results are returned as an object.

Sample Runs

The function accepts two types of calls, the first one uses the Location parameter. Then the function will check all VMs under that Location that run a Linux guest OS.

The second way to call the function uses the VM parameter. On this parameter you can pass one or more VMs, beit by name or by object.

The result, when saved in a CSV file, looks something like this.

shellshock-report

Community Participation

As I mentioned in the Annotations, the current function only looks at Red Hat and SUSE installations. The simple reason for that is that I currently do not have any other distributions available for testing in my lab.

If you use other Linux distributions in your VMs, please let me know which tests are conclusive for that guest OS. And I will try to add them to the function.

Enjoy !

3 Comments

    Mark Hensler

    I changed my GuestID check to match “centos|rhel|sles|ubuntu”.

    And, I used the following to start the process:

    Add-PSSnapin -Name VMware.VimAutomation.Core
    Connect-VIServer vcenter.mydomain.com
    Get-VMShellShock -Location (Get-Cluster -Name “My Cluster”) -Credential (Get-Credential) |
    Select VM,OS,”OS Full”,”VMware Tools”,CVE_2014_6271,CVE_2014_7169,CVE_2014_7186,CVE_2014_7187,Logon |
    Export-Csv $env:USERPROFILE\Documents\shellshock.csv -NoTypeInformation -UseCulture

      LucD

      Thanks Mark

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*

eleven + 9 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.