CVE-2014-6271 (BASH) vulnerability

Question

are the f5 firepass vulnerable to the CVE-2014-6271 (BASH) vulnerability &nbsp;

gary_zhu · Answer

I am not sure the firepass, but if the target server is running the version of BASH, (not yet fully patched), yes, F5 LTM will pass through, I just tested it.
I have put in below iRule to block these types of requests, however, this is just for User-Agent check, there is no way to check for all headers. And this is very specific to this attack and variants of this attack.
Any suggestion to improve below iRule is welcome, put contains first thinking it might be faster:
when HTTP_REQUEST {
  if { [string tolower [HTTP::header value User-Agent]] contains "echo" } {
    if { [string tolower [HTTP::header value User-Agent]] matches_regex ".*echo.*echo.*" } {
        log local0. "Bad request from [IP::client_addr] with User agent [HTTP::header value User-Agent]"
        HTTP::respond 403 content "What the f..." noserver 
    } elseif { [string tolower [HTTP::header value User-Agent]] matches_regex ".*;.*;.*;.*" } {
    log local0. "Bad request from [IP::client_addr] with User agent [HTTP::header value User-Agent]"
    HTTP::respond 403 content "What the f..." noserver 
}
  } 
}

Forum Discussion

CVE-2014-6271 (BASH) vulnerability

1 Reply

Recent Discussions

[ASM] - what is "Browser Challange file" ?

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

CVE-2014-6271 Shellshocked

Vulnérabilité Shellshock - CVE-2014-6271 et CVE-2014-7169

Ansible - Running bash commands with bigip_command module - How it's done

OWASP Automated Threats - OAT-014 Vulnerability Scanning

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server