ASM Signature Update 02/08/2019 Contains Incorrect Command Execution Signatures

Question

The 2/8/19 signature update available on F5 Downloads (shows a create date of 1/22/19 in the F5 UI) has some questionable updates for Command Execution signatures on parameters that cause a large amount of false positives. &nbsp;
Instead of properly checking to see if a parameter contains a real command execution attempt, it is just firing on anything containing a the string that matches the command name. It's so bad that the sig for g++ will go off every time there is a " g " in a parameter being posted. &nbsp;
This has been confirmed on 12.1.X&nbsp;
I would suggest skipping this update until they address. If installed, my suggestion would be to disable all signatures with the string "execution attempt" in the title that relates to parameters (likely leave URL and Header sigs active, not getting false positives on those but ymmv) and contain a command that resembles a human word or is 3 characters or less. If not too labor intensive it would likely be better to disable on a parameter basis. Even if you have these signatures in staging, you may not get all possible values in your staging traffic so the next time you get a user with the name of "Pico", they could be blocked. &nbsp;
Because we are on 12.x we had been setup to not put update signatures into staging because we didn't want to loose coverage, after years of that working perfectly for us, this update came and basically locked out our applications. &nbsp;
Working with support on this, will update.&nbsp;

paul_zajicek_73 · Answer

Just updated to ASM-SignatureFile_20190219_153131 and what a nightmare! the g++ one you mention is absolutely awful. Any common Linux words in cookies/referrers and alerts trip. Currently staging these, but I don't know how to go forward as the new attack signatures are so bad. Never had any problems in the past.

peterhession · Answer

Just wanted to note that you can backout your signatures by installing the previous update from before 2/8/19. You can get the signature file manually from . It will remove the signatures that had bad updates. You will also need to turn off auto-updates to make sure it doesn't get overwritten until F5 puts out a sig release to address.

andrew_husking · Answer

We've had the same issue this morning, with the XPATH 1=1 signature.&nbsp;

paul_zajicek_73 · Answer

I have backed out to ASM-SignatureFile_20190114_163855. We are a retail site and basically any url, referrer or cookie etc with "head,ps,ls,cut,date,touch,cat etc." in anywhere (and there are a lot) is potentially blocked! Presumably I won't be updating the pattern file for a long time (if ever).

peterhession · Answer

Thank you all for your comments about this happening, this is really helping escalate this within f5. Please open support cases if you can. I'm unable to provide f5 with as many examples of blocked requests as they need since our blocked requests involve sensitive customer data.

Forum Discussion

ASM Signature Update 02/08/2019 Contains Incorrect Command Execution Signatures

8 Replies

Recent Discussions

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Advise on setting up IRULE

Related Content

Support of WAF Signature Staging in F5 Distributed Cloud (XC)

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

BoT Defense Profile, Signature Enforcement

Wildcard Parameter signature attack

Live Update- ASM attack signatures