Description

F5's BIG-IP is a collection of hardware and software solutions designed for application security, reliability, and performance.

iRule is a feature of BIG-IP products that allows clients to directly manipulate and manage any IP application traffic. iRules are using Tool Command Language (Tcl).

Certain coding practices may allow an attacker to inject arbitrary Tool Command Language (Tcl) commands, which can be executed in the security context of the target Tcl script by the running Tcl interpreter.

This issue affects any user-supplied Tcl code executed on the BIG-IP system including, but not limited to, iRules, Local Traffic Policies, iCall scripts, and Tcl scripts running under the standalone tclsh interpreter.

Remediation

Expressions in Tcl should always be braced. Typically, you can enclose the expression in curly braces '{ }'.
For example, instead of the following unbraced expression: 

if $myVar eq "String"
Use braces to ensure the expression is evaluated without substitution: 
if {$myVar eq "String"}

References

K15650046: Tcl code injection security exposure

Command Injection In iRules Load Balancer Scripts

Related Vulnerabilities

WordPress Plugin open-flash-chart-core Remote Code Execution (0.4)

Drupal REST Remote Code Execution

Apache Solr SSRF CVE-2017-3164

PHP version older than 5.2.5

WordPress Plugin Groundhogg-Marketing Automation & CRM for WordPress Remote Code Execution (1.3.4)

Severity

High

Classification

CWE-78 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution