CVE-2014-6271 was made public today, potentially wreaking havoc on apache/bash. Has anyone written an iRule to filter this vulnerability from HTTP GET requests?

Hey John, Nice one. I wonder if this would affect valid traffic? Any thoughts? --Removed to avoid confusion

() { also matches a function definition in many languages so this has the potential to block some legitimate traffic.

It gives me "Some fields below contain errors. Correct them before continuing." when I try to parse it on 11.5.1, must be related to the string match syntax maybe?

Has anyone written an iRule to filter CVE-2014-6271?

19 Replies

John_Alam_45640

Historic F5 Account

Sep 25, 2014

Here is one to start with:

when HTTP_REQUEST {
  if {[HTTP::request] contains "() \{" } { 
        log local0. "Detected CVE-2014-6271 attack from [IP::client_addr]"
        TCP::close
        drop
      }

}

What_Lies_Bene1
Cirrostratus
Sep 25, 2014
Hey John,

Nice one. I wonder if this would affect valid traffic? Any thoughts?

--Removed to avoid confusion
Chris_Campbell1
Cirrus
Sep 25, 2014
() { also matches a function definition in many languages so this has the potential to block some legitimate traffic.
Moonlit
Cirrus
Sep 25, 2014
It gives me "Some fields below contain errors. Correct them before continuing." when I try to parse it on 11.5.1, must be related to the string match syntax maybe?

benoit_9199

Nimbostratus

Sep 25, 2014

Here is some corrections on your version but the initial version seem more simple and does match all headers so...

when HTTP_REQUEST { 
   foreach header_name [HTTP::header names] {
      foreach header_value [HTTP::header values $header_name] {
           replaced [string match -nocase "() \{*;\};*" $header_value], doesn't match enough
          if { $header_value contains "() \{" } { 
           log local0. "Detected CVE-2014-6271 attack from [IP::client_addr]"
           reject
         }
      }
   }
}

Edit: added a missing ending "*" for the match to work

Moonlit
Cirrus
Sep 25, 2014
Thanks. I have tested it on a lot of our production sites now, and it hasn't kicked on any traffic, malicious of legitimate, yet. I'll keep you updated.
What_Lies_Bene1
Cirrostratus
Sep 25, 2014
--Removed to avoid confusion

John_Alam_45640

Historic F5 Account

Sep 25, 2014

Here is a quick test of my version of the iRule:

curl http://192.168.1.59/?text='() \{'

Here is what the BigIP logs:

Rule /Common/bash_vul : Detected CVE-2014-6271 attack from 192.168.1.133

Here is what the Request looks like:

GET /?text=() { HTTP/1.1  
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1e zlib/1.2.3 libidn/0.6.5  
Host: 192.168.1.59  
Accept: */*

This will log the actual attack request.

when HTTP_REQUEST {
  if {[HTTP::request] contains "() \{" } { 
        log local0. "Detected CVE-2014-6271 attack from [IP::client_addr]"
        log local0. "[HTTP::request]"
        TCP::close
        drop
      }

}

What_Lies_Bene1
Cirrostratus
Sep 25, 2014
Thanks John.

My slightly more specific version if anyone needs it.

--I give up! :-)

Emad

Cirrostratus

Sep 25, 2014

not working for

: GET /wordpress/index.php HTTP/1.1  User-Agent: () { :;}; echo Content-type:text/plain;echo;  Host: johny.com  Accept: */*

```

Forum Discussion

Has anyone written an iRule to filter CVE-2014-6271?

19 Replies

Recent Discussions

Issue on license renewal

Maximum throughput of f5 ltm

iRule cookie persistence and pool redirect

redirect not working

Access azure app service using f5 LTM

Related Content

CVE-2014-6271 Shellshocked

Vulnérabilité Shellshock - CVE-2014-6271 et CVE-2014-7169

Legal Filing Written by ChatGPT, Roundup - May 22nd - 28th, 2023 - F5 SIRT - This Week in Security

External SMTP monitor (written in Go)

Notification Anyone