Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

goyogi's avatar
goyogi
Icon for Nimbostratus rankNimbostratus
Dec 08, 2017

Host header vulnerability

This interesting vulnerability was found with a simple redirect irule by injecting a bad actor site as a host header, the F5 will redirect based on the host header and not on the host within the URL ...
irules
security
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Dec 11, 2017

Yup, as noted, this is not a vulnerability. I understand auditors must at all times provide as many vulnerability findings to justify their job but I've not yet met anyone provide me crap that does not relate to security at all. If one of your clients is a victim of a MITM attack, he is susceptible to worse things than HTTP Host rewrites. If there's a takeaway, consider another security audit firm, or ask for someone who knows his stuff a bit better.

 

The only vulnerability I see here is that "BigIP" is exposed as value of Server header. This qualifies as "low risk" security issue because attacker can use this information to look for existing exploits against BigIP software, or use the knowledge to his advantage in any other way.

 

goyogi's avatar
goyogi
Icon for Nimbostratus rankNimbostratus
Dec 11, 2017

Thanks for all of the feedback. It's much appreciated. I suppose I can put in a rule that says if host /= *.foobar.com then drop and log.

 

Something like this

 

block any redirects to another domain

priority 150 when HTTP_REQUEST {

 

log local0. "Received connection from [IP::client_addr]"

if {not(([string tolower [HTTP::header values Host]]) contains "foobar.com")} { log local0. "block.host.header.redirect.irule dropped connection from [IP::client_addr]" drop } }