BigIP iRule Tcl code injection
Description
F5 BIG-IP products include iRule functionality that allows administrators to write custom traffic management logic using Tool Command Language (Tcl). When iRule code or other Tcl scripts on BIG-IP systems are written without proper input sanitization, attackers can inject malicious Tcl commands into user-controlled data. These injected commands are then executed by the Tcl interpreter with the privileges of the BIG-IP system. This vulnerability affects iRules, Local Traffic Policies, iCall scripts, and any custom Tcl code running on BIG-IP appliances.
Remediation
Always enclose Tcl expressions in curly braces { } to prevent command substitution and injection attacks. Braces ensure that expressions are evaluated literally without interpreting variable or command substitutions from user input.
Review all iRules, Local Traffic Policies, and custom Tcl scripts for unbraced expressions, particularly in conditional statements and string comparisons.
Vulnerable code example:
if $myVar eq "String" {
# User input in $myVar can inject commands
}Secure code example:if {$myVar eq "String"} {
# Expression is evaluated safely without substitution
}Additionally, validate and sanitize all user-supplied input before using it in Tcl expressions. Avoid using the eval and subst commands with untrusted data. Consult F5 Knowledge Article K15650046 for comprehensive guidance on secure Tcl coding practices for BIG-IP systems.