Published: 24-09-2014 | Author: Remy van Elst | Text only version of this article

Table of Contents

This is a simple ansible playbook to patch Debian, CentOS, Ubuntu and derivatives for the Shellshock vulnerability (CVE-2014-6271).

If you like this article, consider sponsoring me by trying out a Digital Ocean VPS. With this link you'll get $100 credit for 60 days). (referral link)

Quoting Ars:

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network-based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

See: for more info.

The simple playbook that fixes it, and adds the Debian 6 LTS repo where needed, consists out of the following 3 files:

Main role:

# cat playbooks/update.yml --- - hosts: all roles: - { role: apt-update, when: "ansible_os_family == 'Debian'" } - { role: yum-update, when: "ansible_os_family == 'RedHat'" }

Debian/Ubuntu Playbook

# cat playbooks/roles/apt-update/tasks/main.yml - copy: src=debian-6-lts.list dest=/etc/apt/sources.list.d/debian-6-lts.list when: ansible_distribution_major_version == "6" # Uncomment the following to test for the vuln. # # - shell: "export evil='() { :;}; echo vulnerable'; bash -c echo;" # register: result # - fail: # msg="Not vulnerable" # when: result.stdout != 'vulnerable' - apt: name=bash state=latest update_cache=yes

Debian 6 LTS repo file:

# cat playbooks/roles/apt-update/files/debian-6-lts.list # Added by Ansible to fix CVE-2014-6271 (ShellShock) # See http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ deb http://http.debian.net/debian/ squeeze main contrib non-free deb-src http://http.debian.net/debian/ squeeze main contrib non-free deb http://security.debian.org/ squeeze/updates main contrib non-free deb-src http://security.debian.org/ squeeze/updates main contrib non-free deb http://http.debian.net/debian squeeze-lts main contrib non-free deb-src http://http.debian.net/debian squeeze-lts main contrib non-free

Yum Role:

# cat playbooks/roles/yum-update/tasks/main.yml # Uncomment the following to test for the vuln. # # - shell: "export evil='() { :;}; echo vulnerable'; bash -c echo;" # register: result # - fail: # msg="Not vulnerable" # when: result.stdout != 'vulnerable' - command: /usr/bin/yum clean all - yum: name=bash state=latest

Tags: ansible