Operating System:

[Appliance]

Published:

11 April 2016

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2016.0902 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0902
          SOL82679059: BIG-IP APM SSO vulnerability CVE-2016-3686
                               11 April 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP APM
                   F5 BIG-IP Edge Gateway
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-3686  

Original Bulletin: 
   https://support.f5.com/kb/en-us/solutions/public/k/82/sol82679059.html

- --------------------------BEGIN INCLUDED TEXT--------------------

SOL82679059: BIG-IP APM SSO vulnerability CVE-2016-3686

Security Advisory

Original Publication Date: 04/09/2016

Vulnerability Description

Cleartext SessionID is visible in URL query parameters under some conditions 
(CVE-2016-3686 - reserved)

Impact

There is a theoretical risk of unauthorized access allowing a security breach.

Security Issue Status

F5 Product Development has assigned ID 522878 (BIG-IP and Enterprise Manager)
to this vulnerability, and has evaluated the currently supported releases for
potential vulnerability.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:

Product 			Versions known to be vulnerable 	Versions known to be not vulnerable 	Severity 	Vulnerable component or feature

BIG-IP APM 			11.0.0 - 11.6.0 			12.0.0					Low 		SSO
									11.6.0 HF6
									10.1.0 - 10.2.4 

BIG-IP Edge Gateway 		11.0.0 - 11.3.0 			10.1.0 - 10.2.4 			Low 		SSO


Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable 
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a 
non-vulnerable version, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severity values 
published in the previous table. The Severity values and other security 
vulnerability parameters are defined in SOL4602: Overview of the F5 security 
vulnerability response policy.

To mitigate this vulnerability, you can create and apply an iRule to the 
affected BIG-IP APM virtual server. To do so, perform the following procedure:

Impact of action: The impact of the suggested workaround depends on the 
specific environment. F5 recommends testing changes during a maintenance 
window, with consideration to the possible impact on your specific 
environment.

1. Log in to the Configuration utility.

2. Navigate to Local Traffic > iRules > Create.

3. In the Name box, type a name for the iRule.

For example:

sessionid_obfuscation

4. In the Definition box, type the following text:

when HTTP_RESPONSE_RELEASE {

if { [HTTP::is_redirect] } {

log local0. "Redirect detected with Location header: [HTTP::header Location]"

set loc [HTTP::header Location]

if { $loc contains "F5SSO_SID" } {

# Using F5SSO_SID hashed value inside Location header

set F5_sid [string range $loc [expr {[string last "F5SSO_SID" $loc] + 10}] 
[string length $loc]]

log local0. "F5_sid: $F5_sid"

set shasid [URI::encode [b64encode [sha512 $F5_sid]]]

# we create one subtable to access the hash from the sessionid

table add -subtable "sha" $shasid $F5_sid indefinite indefinite

log local0. "adding sessionID $F5_sid to ssha subtable with value $shasid"

set newloc [string map [list $F5_sid $shasid] $loc]

log local0. "Location after obfuscation: $newloc"

HTTP::header replace Location $newloc

unset loc

unset newloc

}

}

}

when HTTP_REQUEST {

log local0. "received [HTTP::method] [HTTP::host] [HTTP::uri]"

if { [HTTP::uri] contains "F5Networks-SSO-Resp" } {

# Switch F5SSO_SID value back from hash to real value

log local0. "[HTTP::uri] contains F5Networks-SSO-Resp"

set newuri2 [HTTP::uri]

set F5_hash_b64 [string range $newuri2 [expr {[string first "F5SSO_SID=" 
$newuri2] + [string length "F5SSO_SID="]} ] [string length $newuri2] ]

log local0. "F5SSO_SID value in base64 is: $F5_hash_b64"

set lookup_sid [table lookup -subtable "sha" $F5_hash_b64]

log local0. "lookup_sid is: $lookup_sid"

set newuri2 [string map [list $F5_hash_b64 $lookup_sid] [HTTP::uri]]

HTTP::uri $newuri2

log local0. "URI with SID: $newuri2"

unset newuri2

unset lookup_sid

unset F5_hash_b64

}

# route traffic to internal APM VS accordingly

if { [HTTP::host] == "www.primaryauth.com" } {

use virtual VS_internal_primaryauth

} elseif { [HTTP::host] == "www.site.com" } {

use virtual VS_internal_site1

}

}

5. Click Finished.

6. Click Virtual Servers.

7. Click the name of the virtual server that is affected by this issue.

8. Click the Resources tab.

9. In the iRules section, click Manage.

10. From the Available column, select the iRule you previously created.

11. Click the << button.

The iRule moves to the Enabled column.

12. Click Finished.

Supplemental Information

SOL9970: Subscribing to email notifications regarding F5 products

SOL9957: Creating a custom RSS feed to view new and updated documents

SOL4602: Overview of the F5 security vulnerability response policy

SOL4918: Overview of the F5 critical issue hotfix policy

SOL167: Downloading software and firmware from F5

SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)

SOL10025: Managing BIG-IP product hotfixes (10.x)

SOL9502: BIG-IP hotfix matrix

SOL15106: Managing BIG-IQ product hotfixes

SOL15113: BIG-IQ hotfix matrix

SOL10322: FirePass hotfix matrix

SOL12766: ARX hotfix matrix

SOL3430: Installing FirePass hotfixes

SOL6664: Obtaining and installing OPSWAT hotfixes

SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVwr60H6ZAP0PgtI9AQKFGQ/9G/4I669lEI8Uz1nak8IPmExM3lnL5mfR
xgeDVg3gFPcBXspp64464K36N4onOofzU8wXztSsgTec0Bo4KPDrXrYZw8iy7Gmp
UqFwsD+5enrx8aBzXgxow2AxX2IXOF7Ul0rj1PhYIArQcwE0whpAhsWzpQq0RF3j
dZUOZNudnLklgp06PIccfHnkHnqdb/VlA4F8zO/yq6VD782y3yHWrvBHx6/hE0Rf
6dQtSgHxi41EbUqFmOlsIx7s/TUjoV9XrYV5msjc8WS0+HV3f3s+4sPlgqnIlrPE
koHqP0BagIAQuyGTwj2e02FyUVss+7wAFq8h6ekfURNxYFPFdgWTNFn/TTq8aJEY
qJJl8z+aPDwyuY4jN6Sxx0RxhkdT5eDgoueRcUfOFUjXabkwDczQShMMRQAlqYDx
AQWz+E+J1e74hG5QaZM1Aj1Leh5H/2qJgrmTawABrlj0W71IEO5Sj0tgNDb87YMr
xP8gw1c0j3boLP0WEkgymnqjwsQMgMoUQrYFrC14CDKZQV8Y7hkkDsrXS83owKlk
CnjBZUeasvWT2m9PzWdtGa8jxpB3Stw1Sdwl4nAUwRg4xMLhHstSAMRi9LhAe1lb
33s6OacJw4oZfKYT0RyxSQpUSV58HbAuoXmETAIgqW3xD8JddRHEP4NjYZAmsxHa
7mPwWd2ZEo4=
=hjGp
-----END PGP SIGNATURE-----