Forum Discussion
Craig_C_
Nimbostratus
NimbostratusHas anyone written an iRule to filter CVE-2014-6271?
CVE-2014-6271 was made public today, potentially wreaking havoc on apache/bash. Has anyone written an iRule to filter this vulnerability from HTTP GET requests?
False positives could be an issue with the POST body so I'd try to not use the [HTTP::request] if you are concerned with that.
The pattern I've found that matches on all the cases I've seen is
"*(*)*\{*"This is simple to do match against using the string match function.
when HTTP_REQUEST {
set pattern "*(*)*\{*";
if { [string match $pattern [HTTP::uri]] } {
log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in URI '[HTTP::uri]'";
reject;
} else {
foreach header_name [HTTP::header names] {
foreach header_value [HTTP::header values $header_name] {
if { [string match $pattern $header_value] } {
log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in HTTP Header $header_name = '$header_value'; URI = '[HTTP::uri]'";
reject;
break;
}
}
}
}
}
One could greatly simplify this if you aren't concerned with false positives by just using the HTTP::request value
when HTTP_REQUEST {
if { [string match "*(*)*\{*" [HTTP::request]] } {
log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in URI = '[HTTP::uri]'";
reject;
}
}
I've run as many use cases as I could through this iRule. If anyone finds one that is not triggered, please comment with the details...
-Joe
