vADC Docs

TrafficScript rule to protect against "Shellshock" bash vulnerability (CVE-2014-6271)

by mikeg_2 on ‎09-25-2014 08:36 AM - edited on ‎02-17-2016 04:53 AM by PaulWallace (2,248 Views)

 

The following TrafficScript rule rejects requests attempting to exploit the recently discovered vulnerability in bash (CVE-2014-6271, processing of trailing strings after function definitions in the values of environment variables):

 

# the most likely attack is via http headers as they become env variables

foreach( $header in hash.values( http.getHeaders() ) ) {
   if( string.contains( $header, "() {" ) ) {
    $vehicle = " HTTP header ";
break;
}
}

# some apps might use form parameters as environment variables as well:
$qs = http.getQueryString();
if( string.contains( $qs, "() {" ) ) {
   $vehicle .= ($vehicle ? "and query string ":" query string ");
}

if( http.getMethod() == "POST" ) {
foreach( $value in hash.values( http.getFormParams() ) ) {
      if( lang.isArray( $value ) ) {
         $value = array.join( $value, ":" );
}
      if( string.contains( $value, "() {" ) ) {
         $vehicle .= ($vehicle ? "and form param ":" form param ");
break;
}
}
}

if( $vehicle ) {
   $badboy = request.getRemoteIP();
   $country = geo.getCountry( $badboy );
   log.warn( "Attempted CVE-2014-6271 attack via"
             . $vehicle . "from " . $badboy . " in " . $country );
   connection.discard();
}


The rule above can be used to protect a web application that executes a vulnerable version of the bash command interpreter, like cgi- or fcgi-based applications.

 

Since the SteelApp Web UI is such an application itself, it is also vulnerable if the software is running in an environment where "/bin/sh" is a vulnerable version of bash (this might be the case if you have installed SteelApp on Linux, but is *NOT* the case if you are running the Riverbed provided Virtual Appliances).  The rule above can of course be used to secure SteelApp's administration server as well.

 

To do that, you have to change the admin server's port to, for example, 9091, restrict its listening socket to localhost, and create a loopback virtual server on port 9090 that uses the above rule.  This loopback virtual server's default pool has to be ssl-encrypting and must have node localhost:9091.

 

SteelApp Web App Firewall already has an updated baseline that detects the attack on bash, so if your web application is secured by SteelApp Web App Firewall you only need to install the baseline update.

 

 

For detailed information on how this vulnerability CVE-2014-6271 affects Riverbed products, please subscribe to this support knowledge base article: https://supportkb.riverbed.com/support/index?page=content&id=S24997

Contributors