For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bruce_123314's avatar
Bruce_123314
Icon for Nimbostratus rankNimbostratus
Sep 25, 2014

CVE-2014-6271 (BASH) vulnerability

are the f5 firepass vulnerable to the CVE-2014-6271 (BASH) vulnerability  
security
Gary_Zhu's avatar
Gary_Zhu
Icon for Nimbostratus rankNimbostratus
Sep 25, 2014

I am not sure the firepass, but if the target server is running the version of BASH, (not yet fully patched), yes, F5 LTM will pass through, I just tested it.

I have put in below iRule to block these types of requests, however, this is just for User-Agent check, there is no way to check for all headers. And this is very specific to this attack and variants of this attack.

Any suggestion to improve below iRule is welcome, put contains first thinking it might be faster:

when HTTP_REQUEST {
  if { [string tolower [HTTP::header value User-Agent]] contains "echo" } {
    if { [string tolower [HTTP::header value User-Agent]] matches_regex ".*echo.*echo.*" } {
        log local0. "Bad request from [IP::client_addr] with User agent [HTTP::header value User-Agent]"
        HTTP::respond 403 content "What the f..." noserver 
    } elseif { [string tolower [HTTP::header value User-Agent]] matches_regex ".*;.*;.*;.*" } {
    log local0. "Bad request from [IP::client_addr] with User agent [HTTP::header value User-Agent]"
    HTTP::respond 403 content "What the f..." noserver 
}
  } 
}