Bug ID 737739: Bash shell still accessible for admin even if disabled

Last Modified: Apr 26, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:, 13.1.5,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,, 16.1.4,,,, 17.1.0,,,, 17.1.1,,,

Opened: Jul 20, 2018

Severity: 3-Major


With the administrator role, you have an option in TMUI to disable or restrict terminal access. If you disable or restrict access, the corresponding REST endpoint is neither disabled nor restricted.


Users with the Administrator role can obtain shell access via REST. With terminal access disabled: -- If you attempt to login using SSH, you will not be to do so. -- If you make a POST request to the /mgmt/tm/util/bash endpoint with a body that includes a command to run, that command will be run. With access to TMSH restricted: -- A POST request to the /mgmt/tm/util/bash endpoint that includes a body with a command to run will be run.


Use TMUI as the admin, or as a user with the administrator role, and either of the following: -- Disable terminal access. -- Restrict access to TMSH.



Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips