Shellshock - Easy Mitigation Using Puppet

So … CVE-2014-6271, known as Shellshock, is widely being reported as the “next Heartbleed” – the high-profile bug in the open source OpenSSL framework that threatened to cripple the Internet’s security in April 2014. Here I will go into some loose detail about what Shellshock actually is, then offer an extremely simple way for systems administrators to mitigate the issue and a one-line test to check if your system is vulnerable.

What is Shellshock?

Shellshock is the latest high-profile open source bug to affect the vast majority of computers on the internet, notably web-servers, running systems with the Bash (or Bourne Again Shell) command-line interpreter installed, including Mac OS and Linux machines.

I’m not going to go into a huge amount of detail about what Shellshock actually is or does – for that, please head over to Troy Hunt’s blog, and read his excellent “Everything you need to know about the Shellshock Bash bug” post – but Shellshock essentially allows execution of code via a vulnerability in Bash’s parsing of environment variables. This code is used by Apache’s CGI module, and there have already been reports of exploits using it “in the wild”.

What is Puppet?

There is, however, an extremely easy-to-implement way of upgrading Bash on Linux systems, using only three lines of code and the Puppet configuration management software, which runs on all major Linux distributions including Ubuntu, Red Hat Enterprise Linux, SLES, CentOS and Debian.

I have been a long-term user of Puppet since joining TIM Group in 2011 and have recently attended PuppetCamp London in April this year, and also PuppetConf in San Francisco in September. I have a VMware Tools Puppet module available for anyone to download and use on the PuppetForge, as well as anyone to contribute to on GitHub.

Puppet is a configuration and system management tool that can quickly and easily apply and enforce the correct state across almost any system. If you want to know more, I urge you to check out the PuppetLabs documentation.

The Fix

Once you have Puppet installed and configured, all you need to add is this code:

package { 'bash':
    ensure => latest,

This code instructs Puppet to make sure that the bash package (which in turn contains the bash binary application) is the latest possible version, rather than just ensuring that the package is installed in the first place.

This will require you to have an up-to-date copy of the repository metadata on your machine (e.g. by running apt-get update on a Debian-based system).

Voilà – Shellshock has been (for the moment), mitigated using three lines of code – a sysadmin’s dream! A bonus of using this automated approach is that each time that Puppet runs, it will make sure that the package is at the latest possible version, which will help efficiently and quickly roll out further updates should they be necessary.

The Test

To test if your system is vulnerable, you can run the following in your command-line Terminal:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you receive output like the below, your system is vulnerable.

Shellshock Fail

If you receive output like this, your system is not vulnerable, and you can relax:

Shellshock Pass

Share This Post!

If you like this post, please share it using the buttons below: