Last week, a Bash Shellshock Vulnerability (CVE-2014-6271 and CVE-2014-7169) was discovered. It is possible, under some circumstances, to inject code into a Bash shell script. It could be very dangerous if Bash is used to process requests sent remotely. For now, you’re safe if services call no Bash scripts with remote accesses.

Some reading about Bash Shellshock vulnerability:

Today’s article will explain how to use HAProxy to protect your application from Bash shellshock vulnerability if you’re in a case where you have to be protected.

Diagram

The diagram is pretty simple. Our purpose will detect any purposely built requests and prevent them from reaching the server:

+-------------------------------------------------+
|                                                 |
| +----------+     +---------+     +------------+ |
| |          |     |         |     |            | |
| | Attacker | +-> | HAProxy | +-> | Vulnerable | |
| |          |     |         |     | server     | |
| +----------+     +---------+     |            | |
|                                  +------------+ |
|                                                 |
+-------------------------------------------------+

Configuration

Place the configuration snippet into your HAProxy frontend configuration:

  reqdeny  ^[^:]+:s*(s*)s+{
  reqdeny  ^[^:]+:s+.*?(<<[^<;]+){5,}

Of course, your frontend must be in http mode and HAProxy must have been compiled with the USE_PCRE option.

HAProxy will return a 403 if a request matches the shellshock attack.

Note

Greeting to Thomas for providing the tip on HAProxy’s mailing list.

Links

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.