Detection: CVE-2021-22991

This is a NON-OFFICIAL trigger to detect CVE-2021-22991, and is subject to change. This post will be taken down if/when an official version is supplied. This detection card will fire given a request similar to the one shown here:

Please note that this exploit is likely to change / evolve and this trigger is provided as-is and in good faith to the community to help get some coverage for the recent disclosures from F5.

If you’re running version 8.3, you can format the detection card like this via “Detection Formats”:

Community_ CVE-2021-22991v2.json (2.1 KB)

This seems to work for the case in the linked writeup.
However, this regular expression will catch other attempts also:
let m = /\:\/\/\[[0-9a-f]\]/

I do not have an F5 to test against.
We are looking to test and get a similar detection into alphas soon.

I’ll update now and do some tests to validate.

Done: v2 has Costlow’s improvement and I’ve tested against several different permutations: