Qualys Web Application Scanning (WAS) has added a new detection that will provide the most comprehensive identification of the Shellshock vulnerability across all of your web applications. With the ability to crawl and identify even non-standard directory locations within your web application, Qualys WAS will deliver the most accurate, detailed and reliable form of automated ShellShock detection for web applications. ShellShock is a wide-reaching vulnerability with multiple attack vectors. If you use any form of Linux or Unix machines in your network you are likely to have the vulnerability. We have released a new QID (150134) for WAS specifically for this purpose.
Today Qualys is releasing QID 13038 in VULNSIG Release VULNSIGS-2.2.831-5 for remotely detecting ShellShock. For details on BASH ShellShock, refer to Wolfgang’s blog BASH Shellshock vulnerability – Update2. As you may know there could be multiple exploit vectors and the most popular remote vector is via the use of a cgi script using HTTP headers. QID 13038 is based on a similar technique. If you need a complete inventory of your machines that need patching we recommend that you use the authenticated QID 122693 and QID 122698.
Bash or Bourne Again Shell is prone to a remote code execution vulnerability in terms of how it processes specially crafted environment variables. Most Linux and Unix based systems are vulnerable since the Bash shell is one of the most common installs on a Linux system and is widely used. A lot of programs like SSH, telnet, CGI scripts allow bash to run in the background allowing the vulnerability to be exploited remotely over the network which makes it more scary. Refer to Wolfgang’s post BASH Shellshock vulnerability – Update5 for more details on the vulnerability.