Forum Discussion
NimbostratusF5 shellshock with Bash shell.
I check in my F5 with command: env x='() { :;}; echo vulnerable' bash -c 'echo this is a test' and I receive result: vulnerable this is a test Thus, my system is vulnerable.
I read links: https://devcentral.f5.com/articles/shellshock-mitigation-with-big-ip-irules But, i read links: https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html I want to know this link is solving this problem bash vulnerability? Pls guide me to solve this problem bash vulnerability.
Add Comment
3 Replies
samstepCirrocumulus
SOL15629 is what you need if you are concerned with Shellshock in F5 Management Advanced Shell.
Latest hotfixes are avilable which patch the bahs vulnrability - simply patch your F5 with the latest hotfix for your version:
11.6.0 HF1 11.5.1 HF5 11.5.0 HF5 11.4.1 HF5 11.4.0 HF8 11.3.0 HF10 11.2.1 HF12 10.2.4 HF9
Sam
natheluyenntk50db,
The iRule is for backend servers that might be vulnerable that are fronted by a big-ip device. The big-ip, via an irule, can prevent the attack vector from reaching the backend servers. This gives you time to patch them.
Sol15629 details the big-ip TMOS versions that are vulnerable, namely the management web gui. If you haven't patched to the non-vulnerable release then you will be vulnerable. Of course bear in mind that, as of a couple of weeks ago, the only exploit was an authenticated one, i.e. an attacked would need admin/root access to the big-ip. Further recommendation is to keep the management network on a private, secure network and if there any any self IPs which are externally accessible then disable 443 access.
Hope this helps,
N
- luyenntk50db
Now, Big-IP OS is 10.2.1; can i upgrade from 10.2.1 to Hotfix-BIGIP-11.6.0.1.0.403-HF1? i read link below: https://support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html I think that, i have to upgrade from OS 10.2.1 to 11.6.0 BIG-IP Release. And then, i will patch 11.6.0 BIG-IP Release with Hotfix-BIGIP-11.6.0.1.0.403-HF1. Pls guide me.
