Cloud Platform
Cloud platform apps

See Resources

Bash Webcast

Recorded on October 6

Detect and Defend with Qualys

Shellshock represents a serious threat. Learn how to defend your organization in this webcast.


What you need to know about Shellshock (a.k.a Bash Bug)

The Shellshock vulnerability (CVE-2014-6271 & CVE-2014-7169) found in Bash impacts distributions of Linux, OS X, Unix and some Windows server systems. Because of the great number of systems that use these OSes, the impact of this vulnerability is going to be very widespread. Many of the Linux distributions and Apple have already released patches for their operating systems, but it will take time for these to be updated.

If you believe your network is at risk for Bash Shellshock, we have free tools available that will help you determine if your systems are susceptible to this vulnerability. Below is a list of free tools you can use now. Other tools you can trial will perform deeper scans into your network to reveal vulnerable systems.


If you are new to Qualys, run Qualys FreeScan to see how Qualys can detect and help you remediate Bash Shellshock. FreeScan is easy to configure, and detects and reports on Bash Shellshock using remote, authenticated and web application detections. Freescan is configured for up to 10 scans.

If you are familiar with Qualys or want more comprehensive detection of Bash Shellshock, you should run Qualys Vulnerability Management (VM), which is available as part of the full-featured Qualys Free Trial. Qualys VM detects Shellshock (CVE-2014-6271 and others) with authenticated scanning, which gives you a complete inventory of your machines that need patching to be protected from the attacks and enables tracking of your patching process. In addition the Bash Shellshock Detection option profile in Qualys VM comes pre-configured for remote detections, which identify your vulnerability to attacks via the Apache CGI vector in all of the standard locations for Bash as well as in locations identified by crawling your web apps.

If you want the most comprehensive detection for the Apache CGI attack vector and the most control over your web app scans, you should also run Qualys Web Application Scanning (WAS), available alongside Qualys VM in the Qualys Free Trial. Just like the Bash Shellshock Detection option profile in Qualys VM, Qualys WAS will crawl all your web apps and identify those that are susceptible to ShellShock, so that IT security managers can prioritize which applications need to be updated first. But Qualys WAS gives you full control over which links you crawl and can identify a whole range of other vulnerabilities beyond Shellshock. This breadth of coverage typically requires additional time to execute, so Qualys WAS should be run after a VM scan.


After running Qualys VM to get a snapshot in time of your vulnerable machines, it makes sense to use Qualys Continuous Monitoring (CM) to immediately get alerted if the Bash Shellshock vulnerability is detected on your perimeter hosts. This can happen even after you have patched all occurrences already, as we have seen with the Heartbleed vulnerability. With Heartbleed, customers have reported repeating occurrences as IT staff was using older images to install new hosts or appliances were brought online with a vulnerable version installed. Continuous Monitoring makes it easy to alert on these often unexpected conditions.


To further protect your networks, use the Qualys Web Application Firewall (WAF) to actively block threats without having to modify your applications. This protects you now and gives you time to identify resources to update your software in the future. Qualys WAF detects both variants of Shellshock by default and rates these attacks as critical. Detection confidence is high, so Qualys WAF is configured to block Shellshock attacks automatically.