Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0151 A vulnerability has been identified in F5 FirePass SSL VPN 5 November 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 FirePass SSL VPN Operating System: Network Appliance Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2009-4017 Member content until: Wednesday, December 5 2012 Reference: ESB-2010.0548 ESB-2010.0282 ESB-2010.0189 ESB-2010.0031 ASB-2009.1173 ASB-2009.1136.2 ESB-2010.0842.2 OVERVIEW A vulnerability has been identified in F5 FirePass SSL VPN prior to versions 6.1.0 HF-610-9 and 7.0.0 F-70-7. [1] IMPACT The vendor has provided the following details regarding this vulnerability which has been assigned CVE-2009-4017: "F5 FirePass SSL VPN contains a flaw that allows a remote cross-site redirection attack. This flaw exists because the application does not validate the refreshURL parameter upon submission to the my.activation.cns.php3 script. As a result, a user could create a URL that, when clicked, would redirect a victim from the intended legitimate website to an arbitrary website of the attacker's choosing." [1] MITIGATION The vendor recommends updating to the latest version of F5 FirePass SSL VPN to correct this issue. REFERENCES [1] sol13993: Cross-site URL redirection attack CVE-2009-4017 http://support.f5.com/kb/en-us/solutions/public/13000/900/sol13993.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUJdAne4yVqjM2NGpAQKBhBAAs74ZvJ67wPVhOmZ3P2MFZTIWmTvIeRKN S++bTKxgc+FCl1UyiKOmPOOkgQFa6kNYhJwoDfLx5mmM+EuCQbLn6nbVbPu2Yfpl dzsPBWmhJRGK+opZauwrWmsqtggR4WPTjr5Wan8H9wYmtiTdhbl0JZFZb6e4T2BN 8Qpt4MltCQSRs8fWiW+3we3mAjM2Sf3sfpYIqD1zfoU/c+wyfQHYAbhSMfpyEHS3 ekIGZTr2ssv0ScDpbu/U6LV3bR26uPAg7hfcY8QeNT30BBZVoeyzTnFHVd6gz59Y AWWXI2H4R0FV0dyoag0DUvGawPlDLmqmN9i0tEHOpvT/j1bsxhnwac8Vbz/mam4B y9gQdbsZtE/q8+XK9OqWVRGyfodEy7FtdTL8VyqebVp2eJZ895gxHGFB7kvITez1 2vVj/90aF23NLtMDOEu7d/1OZlU44qWslqp1gIGbdGzjrfxb6j4ttsO15dfu7V1a C6DSLvrSS38BO4pHIMFYsCBJc+IQqO+VlhLKxXPlgLDJ31zAj8fXTKbVRFLjiaKd SyXkPWO0Be6h+COUTSQO65Ri21YUIJ3cGRrrZd+0jKNlp+/7MKSoS7a1EkoNacL6 o6puRDWEN5FkGpdTW7udTSWIeWx2zGVeWqDpIDZ20vDW8G6FDuwy3ibpD2qq6Vzr ZY7WRnywztY= =CE5J -----END PGP SIGNATURE-----