For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

4 Replies

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Mar 08, 2017

    Hi Robinchien,

    you need to either create a whitelist containing your allowed 

    Content-Type
    request-header values (most secure but sligthly difficult approach) or black-list certain characters (e.g. 
    @
    , 
    .
    , 
    ,
    ,
    , 
    (
    or 
    )
    ) and attack-patterns (e.g. 
    ognl
    , 
    memberaccess
    , 
    getruntime
    , 
    exec
    ), which will unlikely used by your application but required to pulloff the s2-045 remote execution (less secure but easy to implement).

    Whitelist approach:

    when HTTP_REQUEST {
    switch -exact -- [string tolower [HTTP::header value "Content-Type"]] {
        "" - 
        "multipart/form-data" -
        "text/xml; charset=utf-8" - 
        "application/x-www-form-urlencoded" {
             Allow request with empty or white listed "Content-Type" headers
        }
        default {
             Reject request with unknown "Content-Type" headers
            reject
        }
    }
}

    Blacklist approach:

    when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::header value "Content-Type"]] {
        "*@*" - 
        "**" - 
        "*.*" - 
        "*,*" - 
        "*(*" - 
        "*)*" - 
        "*ognl*" - 
        "*memberaccess*" -
        "*getruntime*" - 
        "*exec*" {
             Reject requests with suspicious "Content-Type" headers
            reject
        }
        default {
             Allow request with unsuspicious "Content-Type" headers
        }  
    }
}

    Cheers, Kai

  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Mar 09, 2017

    The Vulnerability has to do with File upload so, no use checking every single request.

    This is why my iRule on codeshare inspects the Content-Type for POST requests only.

    Here.

        when HTTP_REQUEST {
      if { [HTTP::method] equals "POST" } {

            if { not ( [HTTP::header Content-Type] equals "multipart/form-data" or [HTTP::header Content-Type] equals "application/x-www-form-urlencoded" or [HTTP::header Content-Type] equals "text/plain" ) } {
                reject
                log local0. "Rejecting a POST request with Content-type [HTTP::header Content-Type]  to  [HTTP::uri]  from  [IP::client_addr]"
            }
      }
}

    One could restrict this further by matching against the URL(s) which present the upload form: 

    when HTTP_REQUEST {
      if { [HTTP::uri] equals "" } {

            if { not ( [HTTP::header Content-Type] equals "multipart/form-data" or [HTTP::header Content-Type] equals "application/x-www-form-urlencoded" or [HTTP::header Content-Type] equals "text/plain" ) } {
                reject
                log local0. "Rejecting a POST request with Content-type [HTTP::header Content-Type]  to  [HTTP::uri]  from  [IP::client_addr]"
            }
      }
}
    • Kai_Wilke's avatar
      Kai_Wilke
      Icon for MVP rankMVP
      Mar 31, 2017

      This answer shouldn't be marked as answer. Its breaking applications and also not covering all attack vectors.

       

      Cheers, Kai