Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Patch Shellshock)with Ansible

Published: 24-09-2014 | Author: Remy van Elst | Text only version of this article


Table of Contents


This is a simple ansible playbook to patch Debian, CentOS, Ubuntu andderivatives for the Shellshock vulnerability (CVE-2014-6271).

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

Quoting Ars:

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network-based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

See: for more info.

The simple playbook that fixes it, and adds the Debian 6 LTS repo where needed,consists out of the following 3 files:

Main role:

# cat playbooks/update.yml --- - hosts: all   roles:     - { role: apt-update, when: "ansible_os_family == 'Debian'" }     - { role: yum-update, when: "ansible_os_family == 'RedHat'" }

Debian/Ubuntu Playbook

 # cat playbooks/roles/apt-update/tasks/main.yml - copy: src=debian-6-lts.list dest=/etc/apt/sources.list.d/debian-6-lts.list   when: ansible_distribution_major_version == "6" #  Uncomment the following to test for the vuln. # # - shell: "export evil='() { :;}; echo vulnerable'; bash -c echo;" #  register: result  # - fail: #     msg="Not vulnerable" #   when: result.stdout != 'vulnerable' - apt: name=bash state=latest update_cache=yes

Debian 6 LTS repo file:

 # cat playbooks/roles/apt-update/files/debian-6-lts.list  # Added by Ansible to fix CVE-2014-6271 (ShellShock) # See http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ deb http://http.debian.net/debian/ squeeze main contrib non-free deb-src http://http.debian.net/debian/ squeeze main contrib non-free deb http://security.debian.org/ squeeze/updates main contrib non-free deb-src http://security.debian.org/ squeeze/updates main contrib non-free deb http://http.debian.net/debian squeeze-lts main contrib non-free deb-src http://http.debian.net/debian squeeze-lts main contrib non-free

Yum Role:

 # cat playbooks/roles/yum-update/tasks/main.yml #  Uncomment the following to test for the vuln. #  # - shell: "export evil='() { :;}; echo vulnerable'; bash -c echo;" #   register: result # - fail: #     msg="Not vulnerable" #   when: result.stdout != 'vulnerable' - command: /usr/bin/yum clean all - yum: name=bash state=latest
Tags: ansible, articles, bash, centos, cve-2014-6271, debian, ubuntu