{"id":11606,"date":"2014-10-11T19:30:00","date_gmt":"2014-10-11T19:30:00","guid":{"rendered":"http:\/\/cloudcomputing.sys-con.com\/node\/3207925"},"modified":"2014-10-11T19:30:00","modified_gmt":"2014-10-11T19:30:00","slug":"three-ways-to-use-big-ip-asm-to-mitigate-shellshock","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/three-ways-to-use-big-ip-asm-to-mitigate-shellshock\/","title":{"rendered":"Three Ways to Use BIG-IP ASM to Mitigate Shellshock"},"content":{"rendered":"<p><span class=\"marker\">UPDATE (9\/28\/2014): <\/span>Our security team indicates that we&#39;re now seeing the majority of attempted exploits of Shellshock coming in through input paramters. They&#39;ve provided ASM signatures to mitigate and recommend customers use these signatures to protect their applications. You can find these signatures and more information in this post:&nbsp;<a href=\"https:\/\/devcentral.f5.com\/articles\/bash-shellshock-mitigation-using-asm-signatures\" style=\"line-height: 1.6em;\">https:\/\/devcentral.f5.com\/articles\/bash-shellshock-mitigation-using-asm-signatures<\/a><span style=\"line-height: 1.6em;\">&nbsp;<\/span><\/p>\n<p>&nbsp;<\/p>\n<p>I had a great conversation this morning with Tom Spector, Enterprise Network Engineering Lead for Security here at F5, about the ways in which customers can use <a href=\"https:\/\/f5.com\/products\/modules\/application-security-manager\">BIG-IP Application Security Manager<\/a> (ASM) to mitigate Shellshock.<\/p>\n<p>As you&#39;re no doubt aware, the potential exploits of Shellshock continue to evolve and we&#39;re seeing both HTTP header and input fields used as a transport mechanism for this Bash vulnerability. Web application firewalls (WAF) are a well known tool for protecting applications both on inbound (request) and the outbound (response) across headers and payloads. In the case of Shellshock, BIG-IP ASM is able to provide protection regardless of whether the HTTP method is POST or GET.<\/p>\n<p>Tom offered the following suggestions when using ASM to mitigate Shellshock.<\/p>\n<h4>Character Restrictions<\/h4>\n<p>Restrict the character &lsquo;{&lsquo; in HTTP headers. Unlike parentheses that are commonly used in headers the character &lsquo;{&lsquo; is not as commonly used (although there may be cases when it is).<\/p>\n<p>To do this in BIG-IP ASM:<\/p>\n<ul>\n<li>Ensure that under the blocking settings (Security -&gt; Application Security -&gt; Blocking -&gt; Settings) you have checked for learn\/alarm\/block the violation for &lsquo;Illegal meta character in header&rsquo; (found under &lsquo;Input Violations&rsquo; section)<\/li>\n<li>Disallow the characters &lsquo;{&lsquo; in the header character set configuration (Security -&gt; Application Security -&gt; Headers -&gt; Character Set)<\/li>\n<li>Save and apply the policy<\/li>\n<\/ul>\n<p>You can also restrict the characters &lsquo;(&lsquo;, &lsquo;)&rsquo;, and &lsquo;{&lsquo; in parameter values. These characters are not typically found in parameter values (some restrictions apply such as phone numbers that include parentheses in the values).<\/p>\n<p>To do this in BIG-IP ASM:<\/p>\n<ul>\n<li>Ensure that under the blocking settings (Security -&gt; Application Security -&gt; Blocking -&gt; Settings) you have checked for learn\/alarm\/block the violation for &lsquo;Illegal meta character in value&rsquo; (found under &lsquo;Input Violations&rsquo; section)<\/li>\n<li>By default, ASM already disallows the characters &lsquo;(&lsquo;, &lsquo;)&rsquo;, and &lsquo;{&lsquo; in parameter values. You can verify this by looking at the parameter value character set configuration (Security -&gt; Application Security -&gt; Parameters -&gt; Character Set -&gt; Parameter Value)<\/li>\n<li>Save and apply the policy<\/li>\n<\/ul>\n<h4>Signatures<\/h4>\n<p>Ensure all signatures relevant to your environment are enabled (and are not in staging as is any parameter you wish to protect). A few signatures are aimed at identifying <strong>shell command injections <\/strong>included in headers or parameters. While this does not target the Shellshock initial attack vector (using the &ldquo;() {&ldquo; sequence) it does handle the injection portion of the attack, i.e. bash commands included after the sequence such as <strong>netcat<\/strong> and <strong>telnet<\/strong>.<\/p>\n<p>Additionally, consider adding these ASM signature to your arsenal: <a href=\"https:\/\/devcentral.f5.com\/articles\/bash-shellshock-mitigation-using-asm-signatures\" style=\"line-height: 1.6em;\">https:\/\/devcentral.f5.com\/articles\/bash-shellshock-mitigation-using-asm-signatures<\/a><span style=\"line-height: 1.6em;\">&nbsp;per our security team&#39;s recommendation. &nbsp;<\/span><\/p>\n<h4>Cookies<\/h4>\n<p>One of the headers that may be targeted is Cookie. Using cookie encryption and\/or ASM cookie enforcement will restrict any cookie tampering and catch those attempts to manipulate the cookie header of an application.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Please ensure you carefully evaluate the potential impact<\/strong> these changes can have in terms of false positives. In some cases the characters &lsquo;(&lsquo;, &lsquo;)&rsquo;, and &lsquo;{&lsquo; are used in a legitimate manner within an application and blocking them my cause valid traffic to be denied.&nbsp; As patches for vulnerable systems are available, make plans to roll them out as soon as possible.&nbsp;<\/p>\n<p>We will continue to update mitigations and provide additional guidance on mitigating Shellshock as they become available. You can always find the latest information regarding Shellshock on <a href=\"http:\/\/f5.com\/shellshock\">f5.com\/shellshock<\/a>.<\/p>\n<p>Stay safe.<\/p>\n<p><a href=\"http:\/\/cloudcomputing.sys-con.com\/node\/3207925\" >read more<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><span>UPDATE (9\/28\/2014): <\/span>Our security team indicates that we&#8217;re now seeing the majority of attempted exploits of Shellshock coming in through input paramters. They&#8217;ve provided ASM signatures to mitigate and recommend customers use these signatures to protect their applications. You can find these signatures and more information in this post:&nbsp;<a href=\"https:\/\/devcentral.f5.com\/articles\/bash-shellshock-mitigation-using-asm-signatures\">https:\/\/devcentral.f5.com\/articles\/bash-shellshock-mitigation-using-asm-signatures<\/a><span>&nbsp;<\/span><\/p>\n<p>&nbsp;<\/p>\n<p>I had a great conversation this morning with Tom Spector, Enterprise Network Engineering Lead for Security here at F5, about the ways in which customers can use <a href=\"https:\/\/f5.com\/products\/modules\/application-security-manager\">BIG-IP Application Security Manager<\/a> (ASM) to mitigate Shellshock.<\/p>\n<p>As you&#8217;re no doubt aware, the potential exploits of Shellshock continue to evolve and we&#8217;re seeing both HTTP header and input fields used as a transport mechanism for this Bash vulnerability. Web application firewalls (WAF) are a well known tool for protecting applications both on inbound (request) and the outbound (response) across headers and payloads. In the case of Shellshock, BIG-IP ASM is able to provide protection regardless of whether the HTTP method is POST or GET.<\/p>\n<p>Tom offered the following suggestions when using ASM to mitigate Shellshock.<\/p>\n<h4>Character Restrictions<\/h4>\n<p>Restrict the character &lsquo;{&lsquo; in HTTP headers. Unlike parentheses that are commonly used in headers the character &lsquo;{&lsquo; is not as commonly used (although there may be cases when it is).<\/p>\n<p>To do this in BIG-IP ASM:<\/p>\n<ul>\n<li>Ensure that under the blocking settings (Security -&gt; Application Security -&gt; Blocking -&gt; Settings) you have checked for learn\/alarm\/block the violation for &lsquo;Illegal meta character in header&rsquo; (found under &lsquo;Input Violations&rsquo; section)<\/li>\n<li>Disallow the characters &lsquo;{&lsquo; in the header character set configuration (Security -&gt; Application Security -&gt; Headers -&gt; Character Set)<\/li>\n<li>Save and apply the policy<\/li>\n<\/ul>\n<p>You can also restrict the characters &lsquo;(&lsquo;, &lsquo;)&rsquo;, and &lsquo;{&lsquo; in parameter values. These characters are not typically found in parameter values (some restrictions apply such as phone numbers that include parentheses in the values).<\/p>\n<p>To do this in BIG-IP ASM:<\/p>\n<ul>\n<li>Ensure that under the blocking settings (Security -&gt; Application Security -&gt; Blocking -&gt; Settings) you have checked for learn\/alarm\/block the violation for &lsquo;Illegal meta character in value&rsquo; (found under &lsquo;Input Violations&rsquo; section)<\/li>\n<li>By default, ASM already disallows the characters &lsquo;(&lsquo;, &lsquo;)&rsquo;, and &lsquo;{&lsquo; in parameter values. You can verify this by looking at the parameter value character set configuration (Security -&gt; Application Security -&gt; Parameters -&gt; Character Set -&gt; Parameter Value)<\/li>\n<li>Save and apply the policy<\/li>\n<\/ul>\n<h4>Signatures<\/h4>\n<p>Ensure all signatures relevant to your environment are enabled (and are not in staging as is any parameter you wish to protect). A few signatures are aimed at identifying <strong>shell command injections <\/strong>included in headers or parameters. While this does not target the Shellshock initial attack vector (using the &ldquo;() {&ldquo; sequence) it does handle the injection portion of the attack, i.e. bash commands included after the sequence such as <strong>netcat<\/strong> and <strong>telnet<\/strong>.<\/p>\n<p>Additionally, consider adding these ASM signature to your arsenal: <a href=\"https:\/\/devcentral.f5.com\/articles\/bash-shellshock-mitigation-using-asm-signatures\">https:\/\/devcentral.f5.com\/articles\/bash-shellshock-mitigation-using-asm-signatures<\/a><span>&nbsp;per our security team&#8217;s recommendation. &nbsp;<\/span><\/p>\n<h4>Cookies<\/h4>\n<p>One of the headers that may be targeted is Cookie. Using cookie encryption and\/or ASM cookie enforcement will restrict any cookie tampering and catch those attempts to manipulate the cookie header of an application.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Please ensure you carefully evaluate the potential impact<\/strong> these changes can have in terms of false positives. In some cases the characters &lsquo;(&lsquo;, &lsquo;)&rsquo;, and &lsquo;{&lsquo; are used in a legitimate manner within an application and blocking them my cause valid traffic to be denied.&nbsp; As patches for vulnerable systems are available, make plans to roll them out as soon as possible.&nbsp;<\/p>\n<p>We will continue to update mitigations and provide additional guidance on mitigating Shellshock as they become available. You can always find the latest information regarding Shellshock on <a href=\"http:\/\/f5.com\/shellshock\">f5.com\/shellshock<\/a>.<\/p>\n<p>Stay safe.<\/p>\n<p><a href=\"http:\/\/cloudcomputing.sys-con.com\/node\/3207925\" target=\"_blank\">read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-11606","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/11606","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=11606"}],"version-history":[{"count":0,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/11606\/revisions"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=11606"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=11606"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=11606"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}