For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

melcaniac's avatar
melcaniac
Icon for Cirrus rankCirrus
Sep 20, 2010

iRule to address Microsoft Security Advisory (2416728)

Has anyone tried to address this security vulnerability with an iRule?     For more information:     Microsoft Security Advisory (2416728)   Vulnerability in ASP.NET Could Allow Informa...
application delivery
dev
devops
iRules
Joel_Moses's avatar
Joel_Moses
Icon for Nimbostratus rankNimbostratus
Sep 21, 2010
I don't presently have access to test this with an F5, but I bashed this out whilst travelling. This should work on 9.x and 10.x to stop the exploit actions (which are based on repeated brute-force attempts to ASP.net script-handler calls in WebResource.axd or ScriptResource.axd).

This is based on a previous HTTP request throttle iRule, but I've altered it to track only failed calls to ASP.net functions. This should detect HTTP failures occurring en-masse. 

when HTTP_REQUEST {
        
    set aspnet_object call 0
    set expiration_time 300
    set client_ip [IP::client_addr]
    set req_limit 1000
    set curr_time [clock seconds]
    set timekey starttime
    set reqkey reqcount
    set failed_request_count [session lookup uie $reqkey]

    if { ([string tolower [HTTP::uri]] starts_with "/scriptresource.axd?") || ([string tolower [HTTP::uri]] starts_with "/webresource.axd?") } {
        set aspnet_object_call 1
    }
    if { ($aspnet_object_call) && ($failed_request_count eq "") } {
        set failed_request_count 1
        session add uie $reqkey $failed_request_count $expiration_time
        session add uie $timekey [expr {$curr_time - 2}] [expr {$expiration_time + 2}]
    } elseif {($aspnet_object_call)} {
        set start_time [session lookup uie $timekey]
        if { ($failure_response) } {
           incr failed_request_count
           session add uie $reqkey $failed_request_count $expiration_time
           set failure_response 0
        }
        set elapsed_time [expr {$curr_time - $start_time}]
  
        if {$elapsed_time < 60} {
            set elapsed_time 60
        }

        set curr_rate [expr {$failed_request_count / ($elapsed_time/60)}]

        if {$curr_rate > $req_limit}{
            log local0. "ASP.net brute force detected from $client_ip."
            reject
        }
    }        
}

when HTTP_RESPONSE {
    if { ($aspnet_object_call) && (([HTTP::status] matches_glob "4[0-9][023456789]") || ([HTTP::status] matches_glob "5*")) } {
        set failure_response 1
    } elseif { ($aspnet_object_call) && ([HTTP::status] equals "200") } {
        set failure_response 0
    }
}

Like I said, I don't have access to an F5 to test this, so if someone could try it'd be nice.