#!/bin/bash # 02-02-2022 CVE-2021-44142 # Enrico Pasqualotto epasqualotto AT backloop.biz # run with --fix for auto-fix option OS_DETECTED=0 fix=0 declare -A fixedVer declare -A vulnVer function vercomp () { if [[ $1 == $2 ]] then return 0 fi local IFS=. local i ver1=($1) ver2=($2) # fill empty fields in ver1 with zeros for ((i=${#ver1[@]}; i<${#ver2[@]}; i++)) do ver1[i]=0 done for ((i=0; i<${#ver1[@]}; i++)) do if [[ -z ${ver2[i]} ]] then # fill empty fields in ver2 with zeros ver2[i]=0 fi if ((10#${ver1[i]} > 10#${ver2[i]})) then return 1 fi if ((10#${ver1[i]} < 10#${ver2[i]})) then return 2 fi done return 0 } function getDebianPkgVer (){ pkgver=`dpkg -s "$1" | grep Version | cut -d ":" -f2-| cut -d' ' -f2` echo $pkgver } if [ "$1" == "--help" ]; then echo "Use --fix to patch your system" exit 0 elif [ "$1" == "--fix" ]; then fix=1 echo "Run with auto-fix enabled!" sleep 2 fi #OS CHECK if [[ "$OSTYPE" != "linux-gnu"* ]]; then echo "O.S. $OSTYPE Not supported!" exit 1 fi #ubuntu if [ -f /etc/os-release ]; then TMP_DISTRIB=`cat /etc/os-release | grep -m1 "^NAME" | cut -d "=" -f2 | sed s/\"//g` if [ "$TMP_DISTRIB" == "Ubuntu" ]; then OS_DETECTED=1 DISTRIB=`cat /etc/os-release | grep -m1 "^NAME" | cut -d "=" -f2 | sed s/\"//g` VERNAME=`cat /etc/os-release | grep -m1 "VERSION_CODENAME" | cut -d "=" -f2` VER=`cat /etc/os-release | grep -m1 "VERSION_ID" | cut -d "=" -f2 | sed s/\"//g` echo "Detected O.S. : $DISTRIB $VER $VERNAME" fi fi # debian if [ "$OS_DETECTED" == "0" ] && [ -f /etc/debian_version ]; then OS_DETECTED=1 VER=`cat /etc/debian_version` DISTRIB=Debian VERNAME=$(. /etc/os-release && echo ${VERSION_CODENAME-stretch}) echo "Detected O.S. : $DISTRIB $VER $VERNAME" fi # redhat if [ "$OS_DETECTED" == "0" ] && [ -f /etc/redhat-release ]; then OS_DETECTED=1 DISTRIB=`cat /etc/os-release | grep -m1 "^NAME" | cut -d "=" -f2 | sed s/\"//g` VERNAME=`cat /etc/os-release | grep -m1 "PRETTY_NAME" | cut -d "=" -f2` VER=`cat /etc/os-release | grep -m1 "VERSION_ID" | cut -d "=" -f2 | sed s/\"//g` echo "Detected O.S. : $DISTRIB $VER $VERNAME" fi if [ "$OS_DETECTED" == "0" ]; then echo "O.S. not supported!" exit 1 fi #cat /etc/os-release | grep -m1 "NAME" | cut -d "=" -f2 | sed s/\"//g if [ "$DISTRIB" == "Ubuntu" ]; then PACKAGE=samba fixedVer["1804"]="2:4.7.6+dfsg~ubuntu-0ubuntu2.28" fixedVer["2004"]="2:4.13.17~dfsg-0ubuntu0.21.04.1" fixedVer["2110"]="2:4.13.17~dfsg-0ubuntu0.21.10.1" isinstalled=`dpkg -l | grep $PACKAGE | wc -l` if [ "$isinstalled" == "0" ]; then echo "No package found on your system. You are not vulnerable!" exit 0 fi curver=`getDebianPkgVer "$PACKAGE"` #echo $curver #echo ${fixedVer[`echo $VER| sed 's/\.//'`]} if [ "${fixedVer[`echo $VER| sed 's/\.//'`]}" == "" ]; then echo "No patch available for your distribution/version" //echo "Try mitigate with command: chmod 0755 /usr/bin/pkexec" exit 1 fi if [ "$curver" == "${fixedVer[`echo $VER| sed 's/\.//'`]}" ]; then res='same' vuln=0 else dpkg --compare-versions $curver lt ${fixedVer[`echo $VER| sed 's/\.//'`]} cmpres=$? case $cmpres in 0) res='lower' vuln=1 ;; 1) res='greater' vuln=0 ;; esac fi echo "My version ($curver) is $res than version (${fixedVer[`echo $VER| sed 's/\.//'`]}) with the patch" if [ "$vuln" == "0" ]; then echo "System not vulnerable" else echo "System vulnerable!" if [ "$fix" == "1" ]; then isroot=`id -u` if [ "$isroot" != "0" ]; then echo "Auto-fix option need root privildge. Please run with sudo or as root" exit 1 fi apt-get update apt-get -y install $PACKAGE newver=`getDebianPkgVer "$PACKAGE"` if [ "$curver" != "$newver" ]; then echo "Upgrade done" dpkg --compare-versions $newver lt ${fixedVer[`echo $VER| sed 's/\.//'`]} cmpres=$? case $cmpres in 0) res='lower' vuln=1 ;; 1) res='greater' vuln=0 ;; esac echo "My version ($newver) is $res than version (${fixedVer[`echo $VER| sed 's/\.//'`]}) with the patch" echo "System no more vulnerable!" else echo "Attempt to install new version of pkg failed!" fi fi fi elif [ "$DISTRIB" == "Debian" ]; then PACKAGE=samba vulnVer["stretch"]="2:4.5.16+dfsg-1+deb9u4" vulnVer["buster"]="2:4.9.5+dfsg-5+deb10u2" vulnVer["bulleye"]="2:4.13.13+dfsg-1~deb11u2" vulnVer["sid"]="2:4.13.14+dfsg-1" vulnVer["bookworm"]="2:4.13.14+dfsg-1" isinstalled=`dpkg -l | grep $PACKAGE | wc -l` if [ "$isinstalled" == "0" ]; then echo "No package found on your system. You are not vulnerable!" exit 0 fi curver=`getDebianPkgVer "$PACKAGE"` #echo $curver #echo ${fixedVer[$VERNAME]} myvulnver=${vulnVer[`echo $VERNAME| sed 's/\.//'`]} myfixedver=${fixedVer[`echo $VERNAME| sed 's/\.//'`]} if [ "$myvulnver" == "" ] && [ "$myfixedver" == "" ]; then echo "No information available for your system. Sorry" exit 0 elif [ "$myfixedver" != "" ]; then if [ "$curver" == "$myfixedver" ]; then res='same' vuln=0 else dpkg --compare-versions $curver lt $myfixedver cmpres=$? case $cmpres in 0) res='lower' vuln=1 ;; 1) res='greater' vuln=0 ;; esac fi echo "My version ($curver) is $res than version ($myfixedver) with the patch" if [ "$vuln" == "0" ]; then echo "System not vulnerable" else echo "System vulnerable!" if [ "$fix" == "1" ]; then isroot=`id -u` if [ "$isroot" != "0" ]; then echo "Auto-fix option need root privildge. Please run with sudo or as root" exit 1 fi apt-get update apt-get -y install $PACKAGE newver=`getDebianPkgVer "$PACKAGE"` if [ "$curver" != "$newver" ]; then echo "Upgrade done" dpkg --compare-versions $newver lt $myfixedver cmpres=$? case $cmpres in 0) res='lower' vuln=1 ;; 1) res='greater' vuln=0 ;; esac echo "My version ($newver) is $res than version ($myfixedver) with the patch" echo "System no more vulnerable!" else echo "Attempt to install new version of pkg failed!" fi fi fi elif [ "$myvulnver" != "" ]; then if [ "$curver" == "$myvulnver" ]; then res='same' vuln=1 else dpkg --compare-versions $curver lt $myvulnver cmpres=$? case $cmpres in 0) res='lower' vuln=1 ;; 1) res='greater' vuln=0 ;; esac fi echo "My version ($curver) is $res than version ($myvulnver) vulnerable" if [ "$vuln" == "0" ]; then echo "System not vulnerable" else echo "System vulnerable!" if [ "$fix" == "1" ]; then echo "No fix available at this time" fi fi else echo "?" exit 1 fi else echo "Fix and check not available for your distribution!" exit 1 fi