#!/bin/bash # Copyright (c) 2016 by 4PSA # All rights reserved # # This script patches CVE-2015-7547 usefirewalld=0 if [ -x "/usr/sbin/firewalld" ];then systemctl status firewalld >/dev/null 2>&1 if [ "$?" == "0" ];then usefirewalld=1 fi if [ ! -x "/usr/bin/firewall-cmd" ];then usefirewalld=0 fi fi if [ "$usefirewalld" -eq "1" ];then echo "==> Apply hotfix using firewalld" firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp --sport 53 -m length --length 513: -j DROP firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --sport 53 -m length --length 1025: -j DROP firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p udp --sport 53 -m length --length 513: -j DROP firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p tcp --sport 53 -m length --length 1025: -j DROP echo "===> Done" else echo "==> Apply hotfix for ipv4" if [ "`iptables -L -vn|grep -c 'tcp spt:53 length'`" -eq "0" ];then iptables -I INPUT -p udp --sport 53 -m length --length 513: -j DROP iptables -I INPUT -p tcp --sport 53 -m length --length 1025: -j DROP if [ -f /etc/redhat-release ];then echo "===> Saving Rules" iptables-save > /etc/sysconfig/iptables fi if [ -f /etc/debian_version -a -f /etc/iptables/rules.v4 ];then echo "===> Saving Rules" iptables-save > /etc/iptables/rules.v4 fi echo "===> Done" else echo "===> Hotfix already applied for ipv4" fi if [ -x "/usr/sbin/ip6tables" ];then echo "==> Try to apply hotfix for ipv6" if [ "`/usr/sbin/ip6tables -L -vn|grep -c 'tcp spt:53 length'`" -eq "0" ];then if [ -x "/usr/sbin/ip6tables" ];then ip6tables -I INPUT -p udp --sport 53 -m length --length 513: -j DROP ip6tables -I INPUT -p tcp --sport 53 -m length --length 1025: -j DROP if [ -f /etc/redhat-release ];then ip6tables-save > /etc/sysconfig/ip6tables fi if [ -f /etc/debian_version -a -f /etc/iptables/rules.v6 ];then ip6tables-save >/etc/iptables/rules.v6 fi fi else echo "===> Hotfix already applied for ipv6" fi fi fi