Fidelis Cybersecurity
Fidelis Blog


Finding the Shellshock Vulnerability with CloudPassage Halo

A serious vulnerability, CVE-2014-6271, being variably referred to as Shellshock or Shellshocked, was just reported in the Bourne-Again Shell (bash) that affects most *NIX-based systems. Because the bash shell is so prevalent on *NIX systems, the vulnerability can be leveraged in many different ways to allow unauthorized access and modification of computers remotely. See the NIST vulnerability summary to learn more about this vulnerability and the systems it affects.

If you are a Halo user, you can quickly find out which of your servers have this vulnerability present using the newly-released Reports page in your Halo portal, or using the Halo API.

Using the Halo UI to find vulnerable servers

First, since this is a recently-released vulnerability, you’ll want to run a fresh scan on your servers from the snapshot page. Select all of your servers and click “Launch scan” from the Actions menu. Your scan should be completed within a few minutes.

launch new software scan cloudpassage halo

Once you have run your scans, navigate to the Reports page.

Search by CVE Reference Number – From the Search Criteria selector on the top right, enter CVE-2014-6271, and click submit. You’ll get a list of servers that found that vulnerability on their latest software scan.

shellshock on halo reports page

You can export these results as a PDF report or to a CSV file using the buttons on the top right of the search results. For more information about how to use the Reports page, please see our documentation.

Using the Halo API to find vulnerable servers

Again, since this is a recently-released vulnerability, you’ll want to run a fresh scan on your servers from the snapshot page, or run the script to launch new scans across all servers posted on GitHub.

Once your scans have completed, make this simple call:


Note: This call will only return active servers by default – to get servers in a different state like “deactivated”, specify the state (/v1/servers?state=deactivated&cve=CVE-2014-6271)

Your list of servers will be returned in JSON format. If you’d prefer the list of servers in CSV format, simply append .csv to “servers”:


For more information about what filters are available for the servers endpoint, please see our API Documentation. If you have used the script on github to find vulnerable CVEs on your servers, you can still use that as well.

Stay up to date on all things security

Subscribe to the Threat Geek Blog