Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2010.0082 f5 FirePass and BIG-IP SAM: Multiple Vulnerabilities 18 March 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: f5 FirePass f5 BIG-IP SAM Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2008-5077 Member content until: Saturday, April 17 2010 Reference: ESB-2009.0009 OVERVIEW Security vulnerabilities have been identified in f5 FirePass and BIG-IP SAM. IMPACT The vendor has provided the following information regarding these vulnerabilities: 1. "Vulnerabilities in Microsoft Active Template Library (ATL) could allow remote code execution and may result in memory corruption, information disclosure, and instantiation of objects without regard to security policy." [1] This vulnerability affects the following products [1]: * BIG-IP SAM version 8.0 * FirePass versions 5.5 - 5.5.2 * FirePass versions 6.0 - 6.0.3 2. "OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function." [2] This vulnerability enables remote attackers to bypass validation of the certificate chain. [3] This vulnerability affects the following products [2]: * FirePass versions 5.5 - 5.5.2 * FirePass versions 6.0 - 6.0.3 * FirePass version 6.1 MITIGATION The vulnerability for Microsoft Active Template Library has been fixed for FirePass appliances in version 6.1.0 and is scheduled to be fixed in future versions for BIG-IP SAM. The second vulnerability for OpenSSL did not have a patch at the time of this publication. The vendor has stated "FirePass versions listed as subject to this vulnerability allow DSA certificates and keys to be installed, however, by default they do not use DSA certificates and keys and are not vulnerable to this issue." Until such a time as a patch is made available, administrators may wish to consider not using DSA certificates and keys. REFERENCES [1] SOL10441: Microsoft Active Template Library (ATL) vulnerabilities VU#456745 https://support.f5.com/kb/en-us/solutions/public/10000/400/sol10441.html [2] SOL9762: OpenSSL vulnerability - CVE-2008-5077 https://support.f5.com/kb/en-us/solutions/public/9000/700/sol9762.html [3] CVE-2008-5077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFLobQ1/iFOrG6YcBERAhfUAJ9bPmTWWV9zQLlMPUZtQLJtb/to2ACfats3 +SZCKD5ilGxGdVW8OZa8d18= =4XrY -----END PGP SIGNATURE-----