Manual Chapter : Example Mitigating shellshock

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP PEM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

You can create a local traffic policy to mitigate shellshock. In shellshock, an Internet service misuses bash shell functionality to process requests that execute arbitrary commands, potentially giving an attacker unauthorized access. This example policy examines requests for an uncommon pattern of "() {" in the URI, to minimize the possibility of false-positive matches.

Examples

Creating a policy to mitigate a shellshock attack: video example

A shellshock attack refers to a class of exploits that misuse the bash shell through a specifically crafted URL. You can associate a BIG-IP® local traffic policy with a virtual server to mitigate a shellshock attack, where the policy examines requests for a pattern of "() {" in the URI. Watch the following video for an example of creating a local traffic policy and associating it with a virtual server.

Watch how to create a policy to mitigate a shellshock attack

You can also visit our DevCentral™ YouTube channel to see this video. Use any of these ways:

  • Click this URL: https://youtu.be/qL98Xn1zB5U.
  • Copy and paste the above URL into your browser window.
  • Use your browser to search for this video using the title F5: Creating a local traffic policy to mitigate a shellshock attack.

Mitigating shellshock: tmsh example

This topic provides a tmsh command to list the configured settings for a Mitigating Shellshock policy. During this type of attack, a class of exploits misuse the bash shell through a specifically crafted URL. This topic also provides a tmsh command to list the configured virtual server settings.

(tmos)# list ltm policy MitigatingShellshock 
ltm policy MitigatingShellshock{
    controls { forwarding }
    description "This policy mitigates shellshock."
    last-modified 2016-03-02:11:46:00
    requires { http }
    rules {
        StopShellshock {
            actions {
                0 {
                    log
                    write
                    facility local0
                    message "tcl:Shellshock detected from [IP::client_addr], blocked"
                    priority info
                }
                1 {
                    forward
                    reset
                }
            }
            conditions {
                0 {
                    http-uri
                    query string
                    contains
                    values { "() {" }
                }
            }
        }
    }
    status published
    strategy first-match
}

(tmos)# list ltm virtual HTTP-VS4
ltm.virtual.HTTP-VS4{
    destination 10.10.0.51:http
    ip-protocol tcp
    mask 255.255.255.255
    policies {
        MitigatingShellshock { }
    }
    profiles {
        http { }
        tcp { }
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vs-index 5
}

Mitigating shellshock: iRules example

This topic provides an example of iRules® code that is equivalent to a policy to mitigate shellshock, where the policy examines requests for a pattern of "() {" in the URI.

when HTTP_REQUEST {
  set pattern "*() \{*";  
  if { [string match $pattern [HTTP::uri]] } {
    log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in URI '[HTTP::uri]'";
    reject;
  } else {
    foreach header_name [HTTP::header names] {
      foreach header_value [HTTP::header values $header_name] {
        if { [string match $pattern $header_value] } {
          log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in HTTP Header $header_
          reject;
          break;
        }
      }
    }
  }
}

when HTTP_REQUEST {
  if { [string match "*() \{*" [HTTP::request]] } {
    log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]'; URI = '[HTTP::uri]'";
    reject;
  }
}