Forum Discussion

Craig_C_'s avatar
Craig_C_
Icon for Nimbostratus rankNimbostratus
Sep 24, 2014

Has anyone written an iRule to filter CVE-2014-6271?

CVE-2014-6271 was made public today, potentially wreaking havoc on apache/bash. Has anyone written an iRule to filter this vulnerability from HTTP GET requests?

 

application delivery
devops
iRules

19 Replies

  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Sep 24, 2014

    Here is one to start with:

    when HTTP_REQUEST {
  if {[HTTP::request] contains "() \{" } { 
        log local0. "Detected CVE-2014-6271 attack from [IP::client_addr]"
        TCP::close
        drop
      }

}
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 25, 2014

    Hey John,

     

    Nice one. I wonder if this would affect valid traffic? Any thoughts?

     

    --Removed to avoid confusion

     

  • Chris_Campbell1's avatar
    Chris_Campbell1
    Icon for Cirrus rankCirrus
    Sep 25, 2014

    () { also matches a function definition in many languages so this has the potential to block some legitimate traffic.

     

  • Moonlit's avatar
    Moonlit
    Icon for Cirrus rankCirrus
    Sep 25, 2014

    It gives me "Some fields below contain errors. Correct them before continuing." when I try to parse it on 11.5.1, must be related to the string match syntax maybe?

     

  • benoit_9199's avatar
    benoit_9199
    Icon for Nimbostratus rankNimbostratus
    Sep 25, 2014

    Here is some corrections on your version but the initial version seem more simple and does match all headers so...

    when HTTP_REQUEST { 
   foreach header_name [HTTP::header names] {
      foreach header_value [HTTP::header values $header_name] {
           replaced [string match -nocase "() \{*;\};*" $header_value], doesn't match enough
          if { $header_value contains "() \{" } { 
           log local0. "Detected CVE-2014-6271 attack from [IP::client_addr]"
           reject
         }
      }
   }
}

    Edit: added a missing ending "*" for the match to work

  • Moonlit's avatar
    Moonlit
    Icon for Cirrus rankCirrus
    Sep 25, 2014

    Thanks. I have tested it on a lot of our production sites now, and it hasn't kicked on any traffic, malicious of legitimate, yet. I'll keep you updated.

     

  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Sep 25, 2014

    Here is a quick test of my version of the iRule:

    curl http://192.168.1.59/?text='() \{'

    Here is what the BigIP logs:

    Rule /Common/bash_vul : Detected CVE-2014-6271 attack from 192.168.1.133

    Here is what the Request looks like:

    GET /?text=() { HTTP/1.1  
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1e zlib/1.2.3 libidn/0.6.5  
Host: 192.168.1.59  
Accept: */*

    This will log the actual attack request. 

    when HTTP_REQUEST {
  if {[HTTP::request] contains "() \{" } { 
        log local0. "Detected CVE-2014-6271 attack from [IP::client_addr]"
        log local0. "[HTTP::request]"
        TCP::close
        drop
      }

}
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 25, 2014

    Thanks John.

     

    My slightly more specific version if anyone needs it.

     

    --I give up! :-)

     

  • Emad's avatar
    Emad
    Icon for Cirrostratus rankCirrostratus
    Sep 25, 2014

    not working for 

    : GET /wordpress/index.php HTTP/1.1  User-Agent: () { :;}; echo Content-type:text/plain;echo;  Host: johny.com  Accept: */*

    ```