Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.1423
Two cURL and libcurl vulnerabilities affect F5 products
1 June 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Resolution: Mitigation
CVE Names: CVE-2015-3148 CVE-2015-3143
Reference: ASB-2015.0009
ESB-2015.1114
ESB-2014.2309.2
ESB-2014.1429
ESB-2014.1057
ESB-2014.0889
ESB-2014.0835
ESB-2014.0129
Original Bulletin:
https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16704.html
https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16707.html
Comment: This bulletin contains two (2) F5 Networks security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
sol16704: cURL and libcurl vulnerability CVE-2015-3143
Security Advisory
Original Publication Date: 05/29/2015
Updated Date: 05/29/2015
Description
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM
connections, which allows remote attackers to connect as other users via an
unauthenticated request, a similar issue to CVE-2014-0015. (CVE-2015-3143)
Impact
Remote attackers may be able to reuse NTLM connections as other users via an
unauthenticated request.
Status
F5 Product Development has assigned ID 521026 (BIG-IP), 525347 (BIG-IQ),
525348 (Enterprise Manager), and ID 476510 (ARX) to this vulnerability, and
has evaluated the currently supported releases for potential vulnerability.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
Product Versions known to be vulnerable Versions known to be not vulnerable Severity Vulnerable component or feature
BIG-IP LTM 11.0.0 - 11.6.0
10.0.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP AAM 11.4.0 - 11.6.0 None Low cURL and libcurl*
BIG-IP AFM 11.3.0 - 11.6.0 None Low cURL and libcurl*
BIG-IP
Analytics 11.0.0 - 11.6.0 None Low cURL and libcurl*
BIG-IP APM 11.0.0 - 11.6.0
10.1.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP ASM 11.0.0 - 11.6.0
10.0.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP Edge
Gateway 11.0.0 - 11.3.0
10.1.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP GTM 11.0.0 - 11.6.0
10.0.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP Link
Controller 11.0.0 - 11.6.0
10.0.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP PEM 11.3.0 - 11.6.0 None Low cURL and libcurl*
BIG-IP PSM 11.0.0 - 11.4.1
10.0.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP
WebAccelerator 11.0.0 - 11.3.0
10.0.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP WOM 11.0.0 - 11.3.0
10.0.0 - 10.2.4 None Low cURL and libcurl*
ARX 6.0.0 - 6.4.0 None Low cURL and libcurl
Enterprise
Manager 3.0.0 - 3.1.1
2.1.0 - 2.3.0 None Low cURL and libcurl
FirePass None 7.0.0
6.0.0 - 6.1.0 Not vulnerable None
BIG-IQ Cloud 4.0.0 - 4.5.0 None Low cURL and libcurl
BIG-IQ Device 4.2.0 - 4.5.0 None Low cURL and libcurl
BIG-IQ Security 4.0.0 - 4.5.0 None Low cURL and libcurl
BIG-IQ ADC 4.5.0 None Low cURL and libcurl
*The cURL libraries and use of NTLM are not exposed in BIG-IP standard
monitors. Custom EAV monitors, using cURL and NTLM, may be prone to this
vulnerability.
Note: As of February 17, 2015, AskF5 Security Advisory articles include the
Severity value. Security Advisory articles published before this date do not
list a Severity value.
Recommended Action
If the previous table lists a version in the Versions known to be not
vulnerable column, you can eliminate this vulnerability by upgrading to the
listed version. If the listed version is older than the version you are
currently running, or if the table does not list any version in the column,
then no upgrade candidate currently exists.
F5 responds to vulnerabilities in accordance with the Severity values
published in the previous table. The Severity values and other security
vulnerability parameters are defined in SOL4602: Overview of the F5 security
vulnerability response policy.
ARX
If the previous table lists a version in the Versions known to be not
vulnerable column, you can eliminate this vulnerability by upgrading to the
listed version. If the table does not list any version in the column, then no
upgrade candidate currently exists.
To mitigate this vulnerability, do not enable the API functionality.
Supplemental Information
SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated documents
SOL4918: Overview of the F5 critical issue hotfix policy
SOL167: Downloading software and firmware from F5
SOL13123: Managing BIG-IP product hotfixes (11.x)
- -------------------------------------------------------------------------------
sol16707: cURL and libcurl vulnerability CVE-2015-3148
Security Advisory
Original Publication Date: 05/29/2015
Updated Date: 05/29/2015
Description
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use authenticated
Negotiate connections, which allows remote attackers to connect as other users
via a request. (CVE-2015-3148)
Impact
Remote attackers may be able to re-use Negotiate connections as other users by
way of an unauthenticated request.
Status
F5 Product Development has assigned ID 521025 (BIG-IP), 525349 (BIG-IQ),
525350 (Enterprise Manager), and ID 476510 (ARX), to this vulnerability, and
has evaluated the currently supported releases for potential vulnerability.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
Product Versions known to be vulnerable Versions known to be not vulnerable Severity Vulnerable component or feature
BIG-IP LTM 11.0.0 - 11.6.0
10.0.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP AAM 11.4.0 - 11.6.0 None Low cURL and libcurl*
BIG-IP AFM 11.3.0 - 11.6.0 None Low cURL and libcurl*
BIG-IP
Analytics 11.0.0 - 11.6.0 None Low cURL and libcurl*
BIG-IP APM 11.0.0 - 11.6.0
10.1.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP ASM 11.0.0 - 11.6.0
10.0.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP Edge
Gateway 11.0.0 - 11.3.0
10.1.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP GTM 11.0.0 - 11.6.0
10.0.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP Link
Controller 11.0.0 - 11.6.0
10.0.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP PEM 11.3.0 - 11.6.0 None Low cURL and libcurl*
BIG-IP PSM 11.0.0 - 11.4.1
10.0.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP
WebAccelerator 11.0.0 - 11.3.0
10.0.0 - 10.2.4 None Low cURL and libcurl*
BIG-IP WOM 11.0.0 - 11.3.0
10.0.0 - 10.2.4 None Low cURL and libcurl*
ARX 6.0.0 - 6.4.0 None Low cURL and libcurl
Enterprise
Manager 3.0.0 - 3.1.1
2.1.0 - 2.3.0 None Low cURL and libcurl
FirePass None 7.0.0 6.0.0 - 6.1.0 Not vulnerable None
BIG-IQ Cloud 4.0.0 - 4.5.0 None Low cURL and libcurl
BIG-IQ Device 4.2.0 - 4.5.0 None Low cURL and libcurl
BIG-IQ Security 4.0.0 - 4.5.0 None Low cURL and libcurl
BIG-IQ ADC 4.5.0 None Low cURL and libcurl
*Note: The cURL libraries and use of NTLM are not exposed in BIG-IP standard
monitors. Custom EAV monitors using cURL and NTLM may be prone to this
vulnerability.
Note: As of February 17, 2015, AskF5 Security Advisory articles include the
Severity value. Security Advisory articles published before this date do not
list a Severity value.
Recommended Action
If the previous table lists a version in the Versions known to be not
vulnerable column, you can eliminate this vulnerability by upgrading to the
listed version. If the listed version is older than the version you are
currently running, or if the table does not list any version in the column,
then no upgrade candidate currently exists.
F5 responds to vulnerabilities in accordance with the Severity values
published in the previous table. The Severity values and other security
vulnerability parameters are defined in SOL4602: Overview of the F5 security
vulnerability response policy.
ARX
If the previous table lists a version in the Versions known to be not
vulnerable column, you can eliminate this vulnerability by upgrading to the
listed version. If the listed version is older than the version you are
currently running, or if the table does not list any version in the column,
then no upgrade candidate currently exists.
To mitigate this vulnerability, do not enable the API functionality.
Supplemental Information
SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated documents
SOL4918: Overview of the F5 critical issue hotfix policy
SOL167: Downloading software and firmware from F5
SOL13123: Managing BIG-IP product hotfixes (11.x)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVWugTRLndAQH1ShLAQJeHA/8DEEIhokrmYwnlWwEQyrogftHVv0n/Zmu
u4nN5u8dKXHO7kLqe1lDHPbJIAuPYPUCWm3/CI/GochdzW7zyEzVCbuMBRJODbDn
rF5ew1f4HcquiWMAE5Y7kKMf93WIcB509Mf4t1d6hI8FQq9X1Ko4UUvqxDvSplGW
5OEEZXj5T5l00Oy5RY6MTsdyg7U5N19095tCzqJkPuS6WZu38dRQrUCynxy4miZ8
g/BizAS2lJXT3cXUbD7AyyKeEvuQEFYphljLo0mi8R6Ik8U3cmXy/jZSVYnvSk+/
nhtNPd4Avh2voCzokDv9j12IXH+vOqakSl8V2AdBW87M9ivKI79VtLrCaN5yIjfe
AQPyMbkA79SFD29gKtzryySyd9T0fn4CwOCvBv6O7XeNVdFvjiX74qdHbnYA/BIQ
SH1fH+PcBNG+2/FGFFXwsRGC8bxHHR44/bXjECsd3379THmTc2Oxp/MWPRKXbGcL
PFhOJogXuf1f8ajZe4GqXZPERCvnXrxsQPv23us4sWKMUoC9s71uZIBrEsUtmE2S
WCkvcRXGte5zXKpB0JvPPDh5cSosg/Ybo5cPZ9+bC3yK6eQyIlRfHsZxy+eKNHBI
ihMHoPPyhPBDVtOMATAuCKv4bjuUayimuyOgonObtpdusCa3qzHBayqsxhbe1cs0
c8le2o9A0Yc=
=aNSD
-----END PGP SIGNATURE-----