For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dan_L1's avatar
Dan_L1
Icon for Nimbostratus rankNimbostratus
Apr 15, 2015

After testing we actually found you need to block on the container of "18446744073709551615" - if you have anything in front of it it will drop the connection, but still allow remote code exec/BSOD.

 

This is a modified version of what Chris H listed -> when HTTP_REQUEST { set vip [IP::local_addr]:[TCP::local_port] if { [HTTP::header "range"] contains "18446744073709551615" } { log local0. "Attempted MS15-034 Exploitation Attempt to [HTTP::host] in URI [HTTP::uri] from [IP::client_addr] on VIP $vip" drop } }

 

With this, we found that it prevented the remote code exec/BSOD, We also found if you change the 18446744073709551615 to anything else it would not cause the bug, also if you increment the 0 to say, 1 and then down the 18446744073709551615 to 18446744073709551614 it would also not cause the bug to trip. I'm sure there will be more about this over the days to come.

 

At this point the above iRule is what worked in our lab testing, hope it helps.