Traffic Management User Interface Vulnerability: The Fix and Temporary Mitigation Options
*** Updated July 8, 2020 *** A new Remote Code Execution vulnerability announcement that affects several versions of BIG-IP was just released on June 30, 2020. Remote Code Execution (RCE) vulner...
Published Jul 06, 2020
Version 1.0ltwagnon
Ret. Employee
Joined May 15, 2019
ltwagnon
Ret. Employee
Joined May 15, 2019
Simon_Blakely
Jul 06, 2020Employee
If you want to use the Rest API to apply the specific mitigations from the article without using tmsh edit:
# curl -sk -u admin:password https://localhost/mgmt/tm/sys/httpd/ -X PATCH -H "Content-Type: application/json" -d '{"include": "<LocationMatch \\\".*\\\\.\\\\.;.*\\\">\nRedirect 404 /\n</LocationMatch>\n"}'
The following one-line bash script checks to see if the include already has the LocationMatch, preserves any existing include setting, and adds the K52145254 LocationMatch stanza.
if [ $(curl -sk -u admin:password https://localhost/mgmt/tm/sys/httpd/ | jq . -M | grep -c LocationMatch) -eq 0 ]; then new_include=$(echo '{"include":"'$(curl -sk -u admin:password https://localhost/mgmt/tm/sys/httpd/ | jq . -M | grep include | awk -F'^"|":|:"| "|",' '{print $4}')'\n<LocationMatch \\\".*\\\\.\\\\.;.*\\\">\nRedirect 404 /\n</LocationMatch>\n')'"}'; curl -sk -u admin:password https://localhost/mgmt/tm/sys/httpd/ -X PATCH -H "Content-Type: application/json" -d "$new_include"; fi
I'm sure someone will write this more elegantly in Python or somesuch, but it's a start.