Forum Discussion

Nimbostratus

Sep 24, 2014

Has anyone written an iRule to filter CVE-2014-6271?

CVE-2014-6271 was made public today, potentially wreaking havoc on apache/bash. Has anyone written an iRule to filter this vulnerability from HTTP GET requests?

Historic F5 Account

Sep 25, 2014

Here is a quick test of my version of the iRule:

curl http://192.168.1.59/?text='() \{'

Here is what the BigIP logs:

Rule /Common/bash_vul : Detected CVE-2014-6271 attack from 192.168.1.133

Here is what the Request looks like:

GET /?text=() { HTTP/1.1  
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1e zlib/1.2.3 libidn/0.6.5  
Host: 192.168.1.59  
Accept: */*

This will log the actual attack request.

when HTTP_REQUEST {
  if {[HTTP::request] contains "() \{" } { 
        log local0. "Detected CVE-2014-6271 attack from [IP::client_addr]"
        log local0. "[HTTP::request]"
        TCP::close
        drop
      }

}

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)