Using iRules to mitigate Microsoft's MS15-034 / CVE-2015-1635 Range vulnerability
As more information becomes available regarding the recently published Range vulnerability affecting Microsoft platforms (see MS15-034and CVE-2015-1635), you can start mitigating this issue for your backend applications using the following iRule that would remove the Range header when large ranges are detected.
Additonal mitigations have been published:
- Using ASM - https://devcentral.f5.com/s/articles/mitigating-httpsys-remote-code-execution-cve-2015-1635
- Using LineRate - https://devcentral.f5.com/s/articles/linerate-range-header-attack-mitigation
Please be sure to test this thoroughly in your production environment.
##############################################
# Name: stop_range_CVE-2015-1635
# Description: This iRule will remove the Range header when detecting large ranges in it.
##############################################
when HTTP_REQUEST {
# remove Range requests for CVE-2015-1635 if the request uses large ranges
if { ([HTTP::header exists "Range"]) and ([HTTP::header "Range"] matches_regex {bytes\s*=.*([0-9]){10,}.*})}
{
HTTP::header remove Range
}
}
- Sam_Richman_263Historic F5 AccountEl-Guapo, this vulnerability does not affect F5 software. This iRule is designed to protect back-end Windows servers against this attack. In addition, SNAT is a layer 3 construct and has no effect on HTTP headers.