Bash Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169)

Last week, a vulnerability in bash has been discovered. It is possible, under some circumstances, to inject code into a bash shell script.
It could be very dangerous if bash is used to process request sent remotely.
For now, you’re safe if no bash scripts are called by services with remote accesses.

Some reading about bash shellshock vulnerability:
  * https://access.redhat.com/announcements/1210053
  * https://access.redhat.com/articles/1212303

Today’s article is going to explain how to use HAProxy to protect your application from bash shellshock vulnerability if you’re in the case where you have to be protected.

Diagram

The diagram is pretty simple. Our purpose will to detect any purposely built requests and to prevent them to reach the server:

[sourcecode language=”text”]
+————————————————-+
| |
| +———-+ +———+ +————+ |
| | | | | | | |
| | Attacker | +-> | HAProxy | +-> | Vulnerable | |
| | | | | | server | |
| +———-+ +———+ | | |
| +————+ |
| |
+————————————————-+
[/sourcecode]

Configuration

Place the configuration sniplet into your HAProxy frontend configuration:
[sourcecode language=”text”]
reqdeny ^[^:]+:s*(s*)s+{
reqdeny ^[^:]+:s+.*?(<<[^<;]+){5,}
[/sourcecode]

Of course, your frontend must be in http mode and HAProxy must have been compiled with USE_PCRE option.

HAProxy will return a 403 if a request matches the shellshock attack.

Note: greeting to Thomas for providing the tip on HAProxy’s mailing list

Links