Blocking PROPFIND HTTP method with F5 load balancers

CVE-2017-7269 (https://nvd.nist.gov/vuln/detail/CVE-2017-7269) has been published on March 26, 2017 indicating a remote code execution vulnerability in IIS/6.0 in the PROPFIND HTTP method handling code. Exploit code is publically available (https://github.com/edwardz246003/IIS_exploit) and the vulnerability likely has been exploited in the wild since July/August 2016.

I’ve been working on options to block PROPFIND method on the F5 load balancers as a short term fix, and wanted to share the iRule in case anybody else is looking for a similar solution:

when HTTP_REQUEST {
switch [HTTP::method] {
"PROPFIND" {
if { !([IP::addr [IP::client_addr] equals 10.0.0.0/8]) } {
# deny PROPFIND HTTP/WebDAV method from untrusted networks
HTTP::respond 405 content "Method not allowed"
return
}
}
}
}
  • switch [HTTP::method] triggers when PROPFIND method is used for the request.
  • if { ... } block checks whether the client is coming from 10.0.0.0/8 CIDR block, and sends 405 HTTP error code if not.

Note: blocking PROPFIND breaks WebDAV drive mapping in Windows, and likely other WebDAV clients as well.

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.