Patch Shellshock)with Ansible

24-09-2014 | Remy van Elst


Table of Contents


This is a simple ansible playbook to patch Debian, CentOS, Ubuntu and derivatives for the Shellshock vulnerability (CVE-2014-6271).

Quoting Ars:

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network-based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

See: http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ for more info.

The simple playbook that fixes it, and adds the Debian 6 LTS repo where needed, consists out of the following 3 files:

Main role:

# cat playbooks/update.yml
 ---
 - hosts: all
   roles:
     - { role: apt-update, when: "ansible_os_family == 'Debian'" }
     - { role: yum-update, when: "ansible_os_family == 'RedHat'" }

Debian/Ubuntu Playbook

 # cat playbooks/roles/apt-update/tasks/main.yml

 - copy: src=debian-6-lts.list dest=/etc/apt/sources.list.d/debian-6-lts.list
   when: ansible_distribution_major_version == "6"

 #  Uncomment the following to test for the vuln.
 #
 # - shell: "export evil='() { :;}; echo vulnerable'; bash -c echo;"
 #  register: result 

 # - fail:
 #     msg="Not vulnerable"
 #   when: result.stdout != 'vulnerable'

 - apt: name=bash state=latest update_cache=yes

Debian 6 LTS repo file:

 # cat playbooks/roles/apt-update/files/debian-6-lts.list 

 # Added by Ansible to fix CVE-2014-6271 (ShellShock)
 # See http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
 deb http://http.debian.net/debian/ squeeze main contrib non-free
 deb-src http://http.debian.net/debian/ squeeze main contrib non-free

 deb http://security.debian.org/ squeeze/updates main contrib non-free
 deb-src http://security.debian.org/ squeeze/updates main contrib non-free

 deb http://http.debian.net/debian squeeze-lts main contrib non-free
 deb-src http://http.debian.net/debian squeeze-lts main contrib non-free

Yum Role:

 # cat playbooks/roles/yum-update/tasks/main.yml

 #  Uncomment the following to test for the vuln.
 # 
 # - shell: "export evil='() { :;}; echo vulnerable'; bash -c echo;"
 #   register: result

 # - fail:
 #     msg="Not vulnerable"
 #   when: result.stdout != 'vulnerable'

 - command: /usr/bin/yum clean all

 - yum: name=bash state=latest

Tags: ansible, bash, centos, cve-2014-6271, debian, ubuntu,