Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0902 SOL82679059: BIG-IP APM SSO vulnerability CVE-2016-3686 11 April 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP APM F5 BIG-IP Edge Gateway Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-3686 Original Bulletin: https://support.f5.com/kb/en-us/solutions/public/k/82/sol82679059.html - --------------------------BEGIN INCLUDED TEXT-------------------- SOL82679059: BIG-IP APM SSO vulnerability CVE-2016-3686 Security Advisory Original Publication Date: 04/09/2016 Vulnerability Description Cleartext SessionID is visible in URL query parameters under some conditions (CVE-2016-3686 - reserved) Impact There is a theoretical risk of unauthorized access allowing a security breach. Security Issue Status F5 Product Development has assigned ID 522878 (BIG-IP and Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product Versions known to be vulnerable Versions known to be not vulnerable Severity Vulnerable component or feature BIG-IP APM 11.0.0 - 11.6.0 12.0.0 Low SSO 11.6.0 HF6 10.1.0 - 10.2.4 BIG-IP Edge Gateway 11.0.0 - 11.3.0 10.1.0 - 10.2.4 Low SSO Vulnerability Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy. To mitigate this vulnerability, you can create and apply an iRule to the affected BIG-IP APM virtual server. To do so, perform the following procedure: Impact of action: The impact of the suggested workaround depends on the specific environment. F5 recommends testing changes during a maintenance window, with consideration to the possible impact on your specific environment. 1. Log in to the Configuration utility. 2. Navigate to Local Traffic > iRules > Create. 3. In the Name box, type a name for the iRule. For example: sessionid_obfuscation 4. In the Definition box, type the following text: when HTTP_RESPONSE_RELEASE { if { [HTTP::is_redirect] } { log local0. "Redirect detected with Location header: [HTTP::header Location]" set loc [HTTP::header Location] if { $loc contains "F5SSO_SID" } { # Using F5SSO_SID hashed value inside Location header set F5_sid [string range $loc [expr {[string last "F5SSO_SID" $loc] + 10}] [string length $loc]] log local0. "F5_sid: $F5_sid" set shasid [URI::encode [b64encode [sha512 $F5_sid]]] # we create one subtable to access the hash from the sessionid table add -subtable "sha" $shasid $F5_sid indefinite indefinite log local0. "adding sessionID $F5_sid to ssha subtable with value $shasid" set newloc [string map [list $F5_sid $shasid] $loc] log local0. "Location after obfuscation: $newloc" HTTP::header replace Location $newloc unset loc unset newloc } } } when HTTP_REQUEST { log local0. "received [HTTP::method] [HTTP::host] [HTTP::uri]" if { [HTTP::uri] contains "F5Networks-SSO-Resp" } { # Switch F5SSO_SID value back from hash to real value log local0. "[HTTP::uri] contains F5Networks-SSO-Resp" set newuri2 [HTTP::uri] set F5_hash_b64 [string range $newuri2 [expr {[string first "F5SSO_SID=" $newuri2] + [string length "F5SSO_SID="]} ] [string length $newuri2] ] log local0. "F5SSO_SID value in base64 is: $F5_hash_b64" set lookup_sid [table lookup -subtable "sha" $F5_hash_b64] log local0. "lookup_sid is: $lookup_sid" set newuri2 [string map [list $F5_hash_b64 $lookup_sid] [HTTP::uri]] HTTP::uri $newuri2 log local0. "URI with SID: $newuri2" unset newuri2 unset lookup_sid unset F5_hash_b64 } # route traffic to internal APM VS accordingly if { [HTTP::host] == "www.primaryauth.com" } { use virtual VS_internal_primaryauth } elseif { [HTTP::host] == "www.site.com" } { use virtual VS_internal_site1 } } 5. Click Finished. 6. Click Virtual Servers. 7. Click the name of the virtual server that is affected by this issue. 8. Click the Resources tab. 9. In the iRules section, click Manage. 10. From the Available column, select the iRule you previously created. 11. Click the << button. The iRule moves to the Enabled column. 12. Click Finished. Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5 critical issue hotfix policy SOL167: Downloading software and firmware from F5 SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x) SOL10025: Managing BIG-IP product hotfixes (10.x) SOL9502: BIG-IP hotfix matrix SOL15106: Managing BIG-IQ product hotfixes SOL15113: BIG-IQ hotfix matrix SOL10322: FirePass hotfix matrix SOL12766: ARX hotfix matrix SOL3430: Installing FirePass hotfixes SOL6664: Obtaining and installing OPSWAT hotfixes SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVwr60H6ZAP0PgtI9AQKFGQ/9G/4I669lEI8Uz1nak8IPmExM3lnL5mfR xgeDVg3gFPcBXspp64464K36N4onOofzU8wXztSsgTec0Bo4KPDrXrYZw8iy7Gmp UqFwsD+5enrx8aBzXgxow2AxX2IXOF7Ul0rj1PhYIArQcwE0whpAhsWzpQq0RF3j dZUOZNudnLklgp06PIccfHnkHnqdb/VlA4F8zO/yq6VD782y3yHWrvBHx6/hE0Rf 6dQtSgHxi41EbUqFmOlsIx7s/TUjoV9XrYV5msjc8WS0+HV3f3s+4sPlgqnIlrPE koHqP0BagIAQuyGTwj2e02FyUVss+7wAFq8h6ekfURNxYFPFdgWTNFn/TTq8aJEY qJJl8z+aPDwyuY4jN6Sxx0RxhkdT5eDgoueRcUfOFUjXabkwDczQShMMRQAlqYDx AQWz+E+J1e74hG5QaZM1Aj1Leh5H/2qJgrmTawABrlj0W71IEO5Sj0tgNDb87YMr xP8gw1c0j3boLP0WEkgymnqjwsQMgMoUQrYFrC14CDKZQV8Y7hkkDsrXS83owKlk CnjBZUeasvWT2m9PzWdtGa8jxpB3Stw1Sdwl4nAUwRg4xMLhHstSAMRi9LhAe1lb 33s6OacJw4oZfKYT0RyxSQpUSV58HbAuoXmETAIgqW3xD8JddRHEP4NjYZAmsxHa 7mPwWd2ZEo4= =hjGp -----END PGP SIGNATURE-----