CVE-2014-6271 (BASH) vulnerability

I am not sure the firepass, but if the target server is running the version of BASH, (not yet fully patched), yes, F5 LTM will pass through, I just tested it.

I have put in below iRule to block these types of requests, however, this is just for User-Agent check, there is no way to check for all headers. And this is very specific to this attack and variants of this attack.

Any suggestion to improve below iRule is welcome, put contains first thinking it might be faster:

when HTTP_REQUEST {
  if { [string tolower [HTTP::header value User-Agent]] contains "echo" } {
    if { [string tolower [HTTP::header value User-Agent]] matches_regex ".*echo.*echo.*" } {
        log local0. "Bad request from [IP::client_addr] with User agent [HTTP::header value User-Agent]"
        HTTP::respond 403 content "What the f..." noserver 
    } elseif { [string tolower [HTTP::header value User-Agent]] matches_regex ".*;.*;.*;.*" } {
    log local0. "Bad request from [IP::client_addr] with User agent [HTTP::header value User-Agent]"
    HTTP::respond 403 content "What the f..." noserver 
}
  } 
}