Using iRules to mitigate Microsoft's MS15-034 / CVE-2015-1635 Range vulnerability

As more information becomes available regarding the recently published Range vulnerability affecting Microsoft platforms (see MS15-034and CVE-2015-1635), you can start mitigating this issue for your backend applications using the following iRule that would remove the Range header when large ranges are detected.

Additonal mitigations have been published:

Please be sure to test this thoroughly in your production environment. 

 

##############################################

# Name: stop_range_CVE-2015-1635

# Description: This iRule will remove the Range header when detecting large ranges in it.

##############################################

when HTTP_REQUEST {

# remove Range requests for CVE-2015-1635 if the request uses large ranges

if { ([HTTP::header exists "Range"]) and ([HTTP::header "Range"] matches_regex {bytes\s*=.*([0-9]){10,}.*})}

{

HTTP::header remove Range

}

}

Published Apr 15, 2015
Version 1.0

Was this article helpful?

11 Comments

  • Sam_Richman_263's avatar
    Sam_Richman_263
    Historic F5 Account
    El-Guapo, this vulnerability does not affect F5 software. This iRule is designed to protect back-end Windows servers against this attack. In addition, SNAT is a layer 3 construct and has no effect on HTTP headers.