Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1518 MIT Kerberos 5 vulnerability 5 September 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP ARX Enterprise Manager FirePass BIG-IQ Publisher: F5 Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-4344 CVE-2014-4343 CVE-2014-4342 CVE-2014-4341 Reference: ESB-2014.1471 ESB-2014.1352 Original Bulletin: http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15552.html http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15547.html http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15553.html http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15561.html Comment: This bulletin contains four (4) F5 security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------------ SOL15552: MIT Kerberos 5 vulnerability CVE-2014-4341 Security AdvisorySecurity Advisory Original Publication Date: 09/04/2014 Description MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session. (CVE-2014-4341) Impact A remote attacker may be able to cause a denial-of-service (DoS) by injecting invalid tokens into a GSSAPI application session. Status F5 Product Development has assigned ID 476157, ID 476871, ID 476872, (BIG-IP, BIG-IQ, and Enterprise Manager) and ID 476378 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product Versions known Versions known to Vulnerable component to be vulnerable be not vulnerable or feature BIG-IP LTM 11.0.0 - 11.6.0 None Authentication profiles, 10.0.0 - 10.2.4 Configuration utility remote authentication BIG-IP AAM 11.4.0 - 11.6.0 None Authentication profiles, Configuration utility remote authentication BIG-IP AFM 11.3.0 - 11.6.0 None Authentication profiles, Configuration utility remote authentication BIG-IP 11.0.0 - 11.6.0 None Authentication profiles, Analytics Configuration utility remote authentication BIG-IP APM 11.0.0 - 11.6.0 None Authentication profiles, 10.1.0 - 10.2.4 Configuration utility remote authentication BIG-IP ASM 11.0.0 - 11.6.0 None Authentication profiles, 10.0.0 - 10.2.4 Configuration utility remote authentication BIG-IP Edge 11.0.0 - 11.3.0 None Authentication profiles, Gateway 10.1.0 - 10.2.4 Configuration utility remote authentication BIG-IP GTM 11.0.0 - 11.6.0 None Authentication profiles, 10.0.0 - 10.2.4 Configuration utility remote authentication BIG-IP Link 11.0.0 - 11.6.0 None Authentication profiles, Controller 10.0.0 - 10.2.4 Configuration utility remote authentication BIG-IP PEM 11.3.0 - 11.6.0 None Authentication profiles, Configuration utility remote authentication BIG-IP PSM 11.0.0 - 11.4.1 None Authentication profiles, 10.0.0 - 10.2.4 Configuration utility remote authentication BIG-IP 11.0.0 - 11.3.0 None Authentication profiles, WebAccelerator 10.0.0 - 10.2.4 Configuration utility remote authentication BIG-IP WOM 11.0.0 - 11.3.0 None Authentication profiles, 10.0.0 - 10.2.4 Configuration utility remote authentication ARX 6.0.0 - 6.4.0 None ARX GUI and client authentication Enterprise 3.0.0 - 3.1.1 None Configuration utility remote Manager 2.1.0 - 2.3.0 authentication FirePass 7.0.0 None 6.0.0 - 6.1.0 BIG-IQ Cloud 4.0.0 - 4.3.0 None Configuration utility remote authentication BIG-IQ Device 4.2.0 - 4.3.0 None Configuration utility remote authentication BIG-IQ 4.0.0 - 4.3.0 None Configuration utility remote Security authentication Recommended action If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists. To mitigate this vulnerability, you can restrict communication between the affected F5 device and the authentication server to an isolated VLAN. - ------------------------------------------------------------------------------ SOL15547: MIT Kerberos 5 vulnerability CVE-2014-4342 Security AdvisorySecurity Advisory Original Publication Date: 09/04/2014 Description MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session. (CVE-2014-4342) Impact A remote attacker may be able to cause a denial-of-service (DoS) (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session. Status F5 Product Development has assigned ID 476157, 476871, 476872 (BIG-IP, BIG-IQ, and Enterprise Manager) and ID 476378 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product Versions known Versions known to Vulnerable component to be vulnerable be not vulnerable or feature BIG-IP LTM 11.0.0 - 11.6.0 10.0.0 -10.1.0 Authentication profiles, 10.0.0 - 10.2.4 Configuration utility remote authentication BIG-IP AAM 11.4.0 - 11.6.0 None Authentication profiles, Configuration utility remote authentication BIG-IP AFM 11.3.0 - 11.6.0 None Authentication profiles, Configuration utility remote authentication BIG-IP 11.0.0 - 11.6.0 None Authentication profiles, Analytics Configuration utility remote authentication BIG-IP APM 11.0.0 - 11.6.0 10.1.0 Authentication profiles, 10.1.0 - 10.2.4 Configuration utility remote authentication BIG-IP ASM 11.0.0 - 11.6.0 10.0.0 - 10.1.0 Authentication profiles, 10.0.0 - 10.2.4 Configuration utility remote authentication BIG-IP Edge 11.0.0 - 11.3.0 10.1.0 Authentication profiles, Gateway 10.1.0 - 10.2.4 Configuration utility remote authentication BIG-IP GTM 11.0.0 - 11.6.0 10.0.0 - 10.1.0 Authentication profiles, 10.0.0 - 10.2.4 Configuration utility remote authentication BIG-IP Link 11.0.0 - 11.6.0 10.0.0 - 10.1.0 Authentication profiles, Controller 10.0.0 - 10.2.4 Configuration utility remote authentication BIG-IP PEM 11.3.0 - 11.6.0 None Authentication profiles, Configuration utility remote authentication BIG-IP PSM 11.0.0 - 11.4.1 10.0.0 - 10.1.0 Authentication profiles, 10.0.0 - 10.2.4 Configuration utility remote authentication BIG-IP 11.0.0 - 11.3.0 10.0.0 - 10.1.0 Authentication profiles, WebAccelerator 10.0.0 - 10.2.4 Configuration utility remote authentication BIG-IP WOM 11.0.0 - 11.3.0 10.0.0 - 10.1.0 Authentication profiles, 10.0.0 - 10.2.4 Configuration utility remote authentication ARX 6.0.0 - 6.4.0 None ARX GUI and client authentication Enterprise 3.0.0 - 3.1.1 None Configuration utility remote Manager 2.1.0 - 2.3.0 authentication FirePass None 7.0.0 None 6.0.0 - 6.1.0 BIG-IQ Cloud 4.0.0 - 4.3.0 None Configuration utility remote authentication BIG-IQ Device 4.2.0 - 4.3.0 None Configuration utility remote authentication BIG-IQ 4.0.0 - 4.3.0 None Configuration utility remote Security authentication Recommended action BIG-IP, BIG-IQ, Enterprise Manager If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists. To mitigate this vulnerability, you can restrict communication between the BIG-IP, BIG-IQ, or Enterprise Manager devices and the remote authentication servers to an isolated VLAN. ARX If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists. - ------------------------------------------------------------------------------ SOL15553: Kerberos vulnerability CVE-2014-4343 Security AdvisorySecurity Advisory Original Publication Date: 09/04/2014 Description Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator. (CVE-2014-4343) Impact An attacker may be able to cause a denial-of-service (DoS) to application that uses the Kerberos authentication or execute malicious code through exploited traffic. Status F5 Product Development has assigned ID 476461 (BIG-IP) and ID 476378 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product Versions known Versions known to Vulnerable component to be vulnerable be not vulnerable or feature BIG-IP LTM None 11.0.0 - 11.6.0 None 10.0.0 - 10.2.4 BIG-IP AAM None 11.4.0 - 11.6.0 None BIG-IP AFM None 11.3.0 - 11.6.0 None BIG-IP None 11.0.0 - 11.6.0 None BIG-IP APM 11.0.0 - 11.6.0 10.1.0 Authentication profiles, 10.1.0 - 10.2.4 Configuration utility remote authentication BIG-IP ASM 11.0.0 - 11.6.0 10.0.0 - 10.1.0 Authentication profiles, 10.0.0 - 10.2.4 Configuration utility remote authentication BIG-IP Edge 11.2.1 - 11.3.0 11.0.0 - 11.2.0 WebSSO; Exchange Profile Gateway 10.1.0 - 10.2.4 BIG-IP GTM None 11.0.0 - 11.6.0 None 10.0.0 - 10.2.4 BIG-IP Link None 11.0.0 - 11.6.0 None Controller 10.0.0 - 10.2.4 BIG-IP PEM None 11.3.0 - 11.6.0 None BIG-IP PSM None 11.0.0 - 11.4.1 None 10.0.0 - 10.2.4 BIG-IP None 11.0.0 - 11.3.0 None WebAccelerator 10.0.0 - 10.2.4 BIG-IP WOM None 11.0.0 - 11.3.0 None 10.0.0 - 10.2.4 ARX 6.0.0 - 6.4.0 None Client authentication using Kerberos Enterprise None 3.0.0 - 3.1.1 None Manager 2.1.0 - 2.3.0 FirePass None 7.0.0 None 6.0.0 - 6.1.0 BIG-IQ Cloud None 4.0.0 - 4.3.0 None BIG-IQ Device None 4.2.0 - 4.3.0 None BIG-IQ None 4.0.0 - 4.3.0 None Security Recommended action You can eliminate this vulnerability by running a version listed in the Versions known to be not vulnerable column in the above tables. If the Versions known to be not vulnerable column does not list a version that is higher than the version you are running, then no upgrade candidate currently exists. BIG-IP APM To mitigate this vulnerability on the BIG-IP APM system, you can configure the Kerberos SSO Send Authorization configuration option to use any value except Always (default). For information about configuring this option, refer to the Kerberos Single Sign-On Method chapter of the BIG-IP Access Policy Manager Single Sign-On Configuration Guide. - ------------------------------------------------------------------------------- SOL15561: Kerberos vulnerability CVE-2014-4344 Security AdvisorySecurity Advisory Original Publication Date: 09/04/2014 Description The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation. (CVE-2014-4344) Impact An attacker may be able to cause a denial-of-service (DoS) to application that uses the Kerberos authentication. Status F5 Product Development has assigned ID 476468 (BIG-IP) and ID 476378 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product Versions known Versions known to Vulnerable component to be vulnerable be not vulnerable or feature BIG-IP LTM None 11.0.0 - 11.6.0 None 10.0.0 - 10.2.4 BIG-IP AAM None 11.4.0 - 11.6.0 None BIG-IP AFM None 11.3.0 - 11.6.0 None BIG-IP None 11.0.0 - 11.6.0 None BIG-IP APM 11.0.0 - 11.6.0 None WebSSO; Exchange profile 10.1.0 - 10.2.4 BIG-IP ASM None 11.0.0 - 11.6.0 None 10.0.0 - 10.2.4 BIG-IP Edge 11.0.0 - 11.3.0 None WebSSO; Exchange Profile Gateway 10.1.0 - 10.2.4 BIG-IP GTM None 11.0.0 - 11.6.0 None 10.0.0 - 10.2.4 BIG-IP Link None 11.0.0 - 11.6.0 None Controller 10.0.0 - 10.2.4 BIG-IP PEM None 11.3.0 - 11.6.0 None BIG-IP PSM None 11.0.0 - 11.4.1 None 10.0.0 - 10.2.4 BIG-IP None 11.0.0 - 11.3.0 None WebAccelerator 10.0.0 - 10.2.4 BIG-IP WOM None 11.0.0 - 11.3.0 None 10.0.0 - 10.2.4 ARX 6.0.0 - 6.4.0 None Client authentication using Kerberos Enterprise None 3.0.0 - 3.1.1 None Manager 2.1.0 - 2.3.0 FirePass None 7.0.0 None 6.0.0 - 6.1.0 BIG-IQ Cloud None 4.0.0 - 4.3.0 None BIG-IQ Device None 4.2.0 - 4.3.0 None BIG-IQ None 4.0.0 - 4.3.0 None Security Recommended action You can eliminate this vulnerability by running a version listed in the Versions known to be not vulnerable column in the above tables. If the Versions known to be not vulnerable column does not list a version that is higher than the version you are running, then no upgrade candidate currently exists. BIG-IP APM To mitigate this vulnerability on BIG-IP APM system, you can configure the Kerberos SSO Send Authorization configuration option to use any value except Always (default). For information about configuring this option, refer to the Kerberos Single Sign-On Method chapter of the BIG-IP Access Policy Manager Single Sign-On Configuration Guide - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVAlBwxLndAQH1ShLAQLQfw//Th2IKpxcRBb9QtV5NwYLkZJc4e1KvCP4 fQwS+nQlXNUPVwqVUUga43Ovamkell1L1W5yADNn75AxYQQjMrrKyeA+QyKbMnUr F2WbufWXOzYggx1H8swN5BJp71TbR5wy8XUzllbVKSDtYaitfoOUPeIqyJvi+tgD iBsByYdC7KhSZ472byu3RjmBjA2MoJZaoSxuXfcE/ZKulvJU2jwcGa81pvWt6KF6 Rudkwx0tAK1iPoFE/dhwR6IkQQnyscfFWd4CjTBmEz7A8oLOCEFMb7PNcUioyHr5 eH2eQDBp1caD0uAp9/aX6eYnl0NMGI43XU9W459+f1E511Hmolpv0V0Oy19D4eeY xiODNgidkUm6Ts++XvDHo1OWjFK99/y4FMA1LLL6qN/GVlVq3St5FReB6Y+PRf/i RxgcQlYVjQL8DnTYNOyf2AarmRkJEnZ8DhEtrYN/qEU3/VnOgHkc8pbNvi7towup sCHOgTzztlK4qrtmx0+gxQ4P0QUQ06jtf1msk7goYfW03eVPYsjURp4H49dCeEna cmxHp+XdWuf8A9O0YhFq97YYOKrx6yBay6YUaWv5npG2B84E13H6ukH0Hk7AMvGl Jgdp+U4TkAaR9WjKW2EStJUG7COp37hsaskMKPhgceBAshfB8m1abpk4IJkPtHPq t2OqMhwk7V4= =lBZs -----END PGP SIGNATURE-----