Shellshock mitigation with LineRate Proxy

News hit yesterday of a critical vulnerability, CVE-2014-6271, that is now being called 'shellshock'. The flaw affects GNU bash and has pretty serious implications, especially if you're running any server-side CGI applications. There is a very nice, well-rounded write-up at troyhunt.com - Everything you need to know about the Shellshock Bash bug. My colleague, Jeff Costlow, has also written about shellshock and it's BIG-IP implications.

The LineRate development team is hard at work trying to determine whether LineRate itself is susceptible (we believe it's not so far... UPDATE: LineRate is not vulnerable! See SOL15629 for more detail.); in the meantime I thought I could demonstrate the power of LineRate proxy by quickly writing a mitigation script that rejects HTTP requests that contain the exploit.

You should use this script on your LineRate proxy if you are concerned that any of your backend ("real") servers are vulnerable.

You'll note that the script checks both the headers and the URL query string for a suspicious string,

() {

. Initial information suggests that query string parameters can be used for the exploit, but I haven't seen any evidence of this yet. The HTTP specification and URL encoding and decoding will make this vector more difficult than using a HTTP header.

Here's the script:

"use strict";

var vsm = require('lrs/virtualServerModule');
var querystring = require('querystring');

var bad_pattern = /\(\)\s*\{/;

vsm.on('exist', 'vs_http', function (vs) {
    console.log('Exploit mitigation script installed on Virtual Server: ' + vs.id);

    vs.on('request', function (servReq, servResp, cliReq) {

        // check headers
        for (var i in servReq.headers) {
            if (bad_pattern.test(servReq.headers[i])) {
                console.log("Suspicious pattern found in header; returning 403.");
                servResp.writeHead(403);
                servResp.end('Forbidden');
                return;
            }
        }

        // check querystring
        var qs = querystring.parse(servReq.url);
        for (var key in Object.keys(qs)) {
            if (bad_pattern.test(qs[key])) {
                console.log("Suspicious pattern found in header; returning 403.");
                servResp.writeHead(403);
                servResp.end('Forbidden');
                return;
            }
        }

        // if we're still here, request is ok
        cliReq();

  });

});

Please leave a comment or reach out to us with any questions or suggestions and if you're not a LineRate user yet, remember you can try it out for free.