F5 LTM and CVE-2011-319

Back-end servers may be vulnerable to the attack.
The safest way to protect these servers with the BIG-IP is to add a simple iRule to each HTTP virtual server:

when HTTP_REQUEST {
# remove Range requests for CVE-2011-3192
HTTP::header remove Range
}

This iRule works for more than 5 ranges:

when HTTP_REQUEST {
# remove Range requests for CVE-2011-3192 if more than 5 ranges are requested
if { [HTTP::header “Range”] matches_regex {bytes=(([0-9\- ])+,){5,}} } {
HTTP::header remove Range
}
}

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>