Shellshock mitigation with BIG-IP iRules
Yesterday, NIST released information on a new network exploitable vulnerability in the GNU Bash shell as demonstrated by vectors involving parts of OpenSSH sshd, the mod_cgi, and mod_cgid modules in ...
Updated Jun 06, 2023
Version 2.0
Tomasz_125022
Nimbostratus
NimbostratusBlock-Shellshock-full iRule contains errors in log sctring ($header_value, $header_value) :-) These variables do not exist.
I use:
If it is determined that the vulnerability exists in the payload , this iRule will inspect the entire HTTP request for the pattern.
But it reports only UserAgent value (most common attacks) and reject the source of the attack.
when HTTP_REQUEST {
set pattern "*(*)*\{*";
set uri [HTTP::header Host][HTTP::uri];
set UserAgent [HTTP::header "User-Agent"]";
if { [string match $pattern [HTTP::request]] } {
log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in uri = $uri and UserAgent = $UserAgent";
reject;
}
}