NOTE: Tripwire VERT has delivered robust coverage for the new ‘BashBug/ShellShock’ BASH vulnerability (CVE-2014-6271) in ASPL-582. To find the BashBug/ShellShock vulnerability in your environment with Tripwire IP360, simply update to the latest ASPL release and run your scans as usual.
With the release of the recent VERT Alert on ShellShock (CVE-2014-6271), many of you may be reaching for your IP360 Administrator’s guide to remember how to create a custom vulnerability. Let’s save you the trouble and walk through the steps necessary to scan your environment using the published rules.
The VERT Alert contains one rule for a remote (unauthenticated) check and one rule for a local (authenticated) check. We will cover creating both vulnerability checks in this walkthrough.
Create the ShellShock custom vulnerabilities with these steps:
1. Create each custom vulnerabilitya. Fill in name/description b. Select associated application c. Copy/paste rule from the VERT Alert
2. Create a new ShellShock Scan Profilea. Copy from existing scan profile b. Use Fine Tune to filter to the ShellShock vulnerabilities c. Select “Fast Application Scan” to minimize scan time
CREATING A CUSTOM VULNERABILITY
In order to create a custom vulnerability in IP360, navigate to Discover > Custom ASPL >Vulnerabilities. Then, click on “new” in the upper-right hand corner of your screen. This will bring up the “Create/Modify Vulnerability” screen.
Fill in the Name and if someone besides you will be reviewing the results, provide them a Description with some sort of next steps for resolution even if it is simply asking them to contact your company’s security department.
After clicking submit, IP360 will ask you to choose an application. I will assume that we are first going to create the unauthenticated rule check, so choose “HTTP-Based” as the application.
Note: the HTTP application includes HTTPS, as well.
After submitting the application, click “new” in the rules section and paste the “Remote HTTP” rule from the VERT Alert into the textbox. Note: I would recommend that you click “Download Raw” and then copy and paste from the downloaded text file. Since the rule is Python, copying and pasting from the browser could result in extra whitespace which would cause the rule to fail to run.
After clicking submit, your “ShellShock Remote” vulnerability is complete.
In order to create the authenticated check, you will complete the exact same steps above except you will choose “SSH-DRT Discovered Operating System” as the application.
In review, here are the completed vulnerabilities in IP360.
CREATING A SHELLSHOCK SCAN PROFILE
With the custom vulnerabilities created, you can wait for your next scheduled scans to run in order to check for these custom vulnerabilities. However, I’m sure most of you will want to run a scan now. For that, you will need a new scan profile that targets just these two custom vulnerabilities.
Navigate to Discover > Scan Profiles and select one of your existing vulnerability scan profiles. For demonstration purposes, I’ve selected the built-in “Tripwire: Standard Profile.”
Since we want to create a new scan profile, select “Save as new profile” and rename this scan profile to “ShellShock: Local and Remote.”
Make sure that the “Scan Features > Vulnerability Scan” checkbox is selected as well as the “Credentials > SSH” checkbox.
Now, navigate to the “Fine Tune” tab. Change the Action to “Include” and then click on “Search.”
In the popup window, search for “ShellShock,” select the two vulnerabilities found and click “Add.”
Note: You will know that you have successfully added them when the checkbox next to the vulnerability becomes disabled. Close the popup window, and you should see the two vulnerabilities listed in the main window.
Before clicking submit, select the “Fast Application Scan” checkbox.
IP360’s scan process normally profiles all applications on a device before running a vulnerability scan. In this case, we only want IP360 to check for the applications that are vulnerability to ShellShock. This will allow IP360 to quickly scan your company’s environment for this particular vulnerability. The new scan profile’s fine tune screen should resemble the following screenshot before you click submit.
Now that your scan profile is complete, navigate to Discover > Scan on Demand and start scanning!
In review, we’ve created a custom vulnerability and a custom scan profile that allows us to run targeted scans for ShellShock. Remember these steps the next time a high-risk vulnerability needs to be detected in your environment.