CVE-2014-6271 Shellshocked
It's a good thing we are naming all of our vulnerabilities now; it's easier to keep track of them. I haven't seen an official designation for CVE-2014-6271, but Shellshock seems appropriate.
This new vulnerability may allow a remote attacker to execute instructions on your computer using a feature of the bash shell. A shell is a command line user interface with complicated features akin to programming languages. One feature of bash is to take user input from its environment. Unfortunately this environment can contain executable commands and in some cases can be manipulated by a remote user.
F5 has confirmed that BIG-IP's web GUI is vulnerable to an authenticated user. We currently know of no unauthenticated exploits, either against the management interface or against the traffic interfaces.
We can enumerate through RedHat's security blog's list -- not a comprehensive list -- to look at some ways a BIG-IP could be exploited.
• BIG-IP does not use ForceCommand in sshd_config, so users cannot bypass ForceCommand.
• BIG-IP does not contain any bash CGI programs, although it is possible that some CGI programs spawn subshells.
• BIG-IP does contain mod_php, but the scripts are not vulnerable.
• BIG-IP does contain DHCP dhclient and is in theory vulnerable to a malicious DHCP server. This is the only known unauthenticated remotely exploitable vector at this time and is only vulnerable on the management interface. You may disable DHCP on the System::Platform page.
• BIG-IP limits the use of bash to authenticated Administrator level accounts. Non-Administrators only have access to tmsh and do not have access to bash.
We still do not believe the traffic passing interfaces of a BIG-IP can be exploited. Please protect your management interface and ensure that it is not exposed to the internet.
F5 will be patching CVE-2014-6271 on all BIG-IP releases. Sol15629 has been published.
Update: BIG-IP iRule mitigation has been posted. F5 LineRate has posted their mitigation. ASM has signature updates.
Published Sep 25, 2014
Version 1.0
nmolwantwa_8071Nimbostratus
Hi Guys, Thanks all for all your posts and experiences on this issue thus far. Drawback question: What are these "*() {*;*}*" patterns or rather what makes you search for them? I've since checked the TCL site for a clue - but not quite there yet ;( https://www.tcl.tk/man/tcl8.4/TclCmd/string.htmM34 Are these REs? Anyone? Most (if not all) of my backend servers are windows, but still I'd rather use this to see what I get. So Im excited about this post really. Cheers
Rich101In reference to "At this point, we do not believe the traffic passing interfaces of a BIG-IP can be exploited. The attack will be passed to back end severs. We do not believe that the attack could exploit a BIG-IP directly through the traffic interfaces." What is the situation with an iRule which performs a http redirect, or some other http response to a user request. Would this not also be vulnerable in the same way that a normal web server is?
hmb104_165567When do we expect a path for our systems?!- pjcampbell_7243
Cirrus
Can you confirm how it is vulnerable to an authenticated user? I could not find any bash CGI scripts on our system. 
Adrian_PIs the APM Logon page object in the Access Policy vulnerable to this attack?
Alan_Renicor_10Altocumulus
Just seen that hotfix for 11.6 has now been uploaded and the solution article updated to reflect the new hotfix.- Hotfix-BIGIP-11.5.1.5.0.147-HF5 has been released to address these CVEs. It is available at http://downloads.f5.com SOL15629 will be republished to reflect this hotfix release shortly.
kwkyiu_53019If the web GUI is vulnerable to an authenticated user, is it possible to reduce the exposure by disabling all user (except root/admin)?- yamamotoHello. I have a question in the following description. > BIG-IP does not contain any bash CGI programs, although it is possible that some CGI programs spawn subshells. What is the "subshells" ? I would like to know details of these shell.
- kwkyiu_53019@yamamoto For example, let's assume that those CGI programs are implemented by Perl. But it is possible that they will call shell script inside those CGI programs.