Shellshock mitigation with BIG-IP iRules

Yesterday, NIST released information on a new network exploitable vulnerability in the GNU Bash shell as demonstrated by vectors involving parts of OpenSSH sshd, the mod_cgi, and mod_cgid modules in ...
Updated Jun 06, 2023
Version 2.0
application delivery
devops
iRules
security
shellshock
Joe_Pruitt's avatar
Joe_Pruitt
Sep 26, 2014
Thanks for the feedback everyone. It seems the most likely false-positive would be in the user agent. What if we modified the iRule to block all headers that match except the user agent. If the UA matches, then empty it out and send it on. That would allow the slim case of UAs that match the pattern through with the downside that the backend app wouldn't have the true UA. Is that acceptable? @Carlos - As for the impact on performance, I went with a simple string match on the content. Regular expressions are a bit more costly but the glob-style matching in string match is much faster. Even with regular expressions, the impact should be minimal (in the microseconds for a single match). We have customers doing header string tests in production and have not had performance issues reported that I'm aware of. @Ian - You are correct. HTTP::request only returns the request portion and not the body. I will update the article with that info. Thanks for keeping me honest!