Shellshock mitigation with BIG-IP iRules

Yesterday, NIST released information on a new network exploitable vulnerability in the GNU Bash shell as demonstrated by vectors involving parts of OpenSSH sshd, the mod_cgi, and mod_cgid modules in ...
Updated Jun 06, 2023
Version 2.0
application delivery
devops
iRules
security
shellshock
Joe_Pruitt's avatar
Joe_Pruitt
Sep 30, 2014
@CodeZone - When you say your users could no longer connect to the internet, did you mean you applied this to a virtual server for outbound traffic? It should be applied to a virtual that is fronting a set of application servers. @Beinhard - We tested decoding and I have an iRule ready to go if we find a way to execute this exploit when passing through encoded values. But, in all our testing, the encoded values are passed back directly to the server and then into Bash where it didn't seem to decode them. Header decoding is something that needs to be handled with the application itself as webservers typically don't change their contents. Have you been able to execute on this exploit by passing in encoded parameters in HTTP Headers? As for the URI, we have only been able to replicate the attack through HTTP::headers but we included the check there for good measure but we haven't been able to replicate with the URI. @brad - that's why I updated the iRule to be a bit more restrictive on the match. After looking at the bash sources, it looks for the literal string so I changed the iRule to do the same.