Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1482
sol26738102: BIG-IP APM SSO vulnerability CVE-2016-3687
14 June 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 BIG-IP APM
F5 BIG-IP Edge Gateway
Publisher: F5 Networks
Operating System: Virtualisation
Network Appliance
Impact/Access: Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-3687
Original Bulletin:
https://support.f5.com/kb/en-us/solutions/public/k/26/sol26738102.html
- --------------------------BEGIN INCLUDED TEXT--------------------
sol26738102: BIG-IP APM SSO vulnerability CVE-2016-3687
Security Advisory
Original Publication Date: 06/13/2016
Vulnerability Description
** RESERVED ** This candidate has been reserved by an organization or
individual that will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided. (CVE-2016-3687)
Insufficient validation of the SSO_ORIG_URI parameter occurs when using
multi-domain single sign-on (SSO).
Impact
An attacker may be able to tamper with the URL used to redirect the user in a
multi-domain SSO environment by using BIG-IP APM. Systems that do not have the
BIG-IP APM module provisioned are not vulnerable.
Security Issue Status
F5 Product Development has assigned ID 526514 (BIG-IP) to this vulnerability.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
Product Versions known to be vulnerable Versions known to be not vulnerable Severity Vulnerable component or feature
BIG-IP LTM None 12.0.0 - 12.1.0 Not vulnerable None
11.4.0 - 11.6.1
11.2.1
10.2.1 - 10.2.4
BIG-IP AAM None 12.0.0 - 12.1.0 Not vulnerable None
11.4.0 - 11.6.1
BIG-IP AFM None 12.0.0 - 12.1.0 Not vulnerable None
11.4.0 - 11.6.1
BIG-IP Analytics None 12.0.0 - 12.1.0 Not vulnerable None
11.4.0 - 11.6.1
11.2.1
BIG-IP APM 11.4.0 - 11.6.0 12.0.0 - 12.1.0 Medium Multi-domain SSO
11.2.1 11.6.1
11.6.0 HF6
10.2.1 - 10.2.4
BIG-IP ASM None 12.0.0 - 12.1.0 Not vulnerable None
11.4.0 - 11.6.1
11.2.1
10.2.1 - 10.2.4
BIG-IP DNS None 12.0.0 - 12.1.0 Not vulnerable None
BIG-IP Edge Gateway 11.2.1 10.2.1 - 10.2.4 Medium Multi-domain SSO
BIG-IP GTM None 11.4.0 - 11.6.1 Not vulnerable None
11.2.1
10.2.1 - 10.2.4
BIG-IP Link Controller None 12.0.0 - 12.1.0 Not vulnerable None
11.4.0 - 11.6.1
11.2.1
10.2.1 - 10.2.4
BIG-IP PEM None 12.0.0 - 12.1.0 Not vulnerable None
11.4.0 - 11.6.1
BIG-IP PSM None 11.4.0 - 11.4.1 Not vulnerable None
10.2.1 - 10.2.4
BIG-IP WebAccelerator None 11.2.1 Not vulnerable None
10.2.1 - 10.2.4
BIG-IP WOM None 11.2.1 Not vulnerable None
10.2.1 - 10.2.4
ARX None 6.2.0 - 6.4.0 Not vulnerable None
Enterprise Manager None 3.1.1 Not vulnerable None
FirePass None 7.0.0 Not vulnerable None
BIG-IQ Cloud None 4.0.0 - 4.5.0 Not vulnerable None
BIG-IQ Device None 4.2.0 - 4.5.0 Not vulnerable None
BIG-IQ Security None 4.0.0 - 4.5.0 Not vulnerable None
BIG-IQ ADC None 4.5.0 Not vulnerable None
BIG-IQ Centralized Management None 4.6.0 Not vulnerable None
BIG-IQ Cloud and Orchestration None 1.0.0 Not vulnerable None
LineRate None 2.5.0 - 2.6.1 Not vulnerable None
F5 MobileSafe None 1.0.0 Not vulnerable None
F5 WebSafe None 1.0.0 Not vulnerable None
Traffix SDC None 5.0.0 Not vulnerable None
4.0.0 - 4.4.0
Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.
F5 responds to vulnerabilities in accordance with the Severity values
published in the previous table. The Severity values and other security
vulnerability parameters are defined in SOL4602: Overview of the F5 security
vulnerability response policy.
To mitigate this vulnerability, you can use an iRule to verify the target URL
provided in the request. In the following procedure, the example iRule
verifies the value of the SSO_ORIG_URI parameter based on a target host that
you specify. After you determine an acceptable target host that is based on
your configuration, you must define the target host in the WHITELIST section
of the iRule. If the host in the request does not match the defined target
host, the request is discarded and the connection is closed. To configure the
iRule and associate it with a virtual server, perform the following procedure:
Note: The following example is configured to allow requests when the host
portion matches example.com. You must replace example.com in the WHITELIST
section with an acceptable target host, based on your configuration.
Impact of action: The following iRule generates logging which is purely
informational. The logging level can be reduced without affecting
functionality.
1. Log in to the Configuration utility.
2. Navigate to Local Traffic > iRules > Create.
3. In the Name box, type a name for the iRule.
For example:
multi_domain_sso_redirect
4. In the Definition box, enter the following text replacing example.com with
your target host:
when HTTP_REQUEST {
# Exit this event if the request isn't a GET
if {[HTTP::method] ne "GET"}{return}
# Exit this event if the request does not contain the SSO_ORIG_URI query parameter
set QUERY_URI [URI::query [HTTP::uri] SSO_ORIG_URI]
if {$QUERY_URI eq ""}{return}
# Track failures
set FAIL 0
# Decode the parameter
if {$FAIL == 0 and [catch {b64decode $QUERY_URI} DECODED_URI] != 0 or $DECODED_URI eq ""} {
log local0. [concat "Could not decode SSO_ORIG_URI: " $QUERY_URI]
set FAIL 1
}
# Parse and case-fold the host portion
if {$FAIL == 0 and [scan $DECODED_URI {%[^:/]://%[^/]} PROTO HOST] != 2} {
log local0. [concat "Could parse decoded URI: " $DECODED_URI]
set FAIL 1
}
set HOST [string tolower $HOST]
# WHITELIST Compare HOST to user defined target host(s).
if {$FAIL == 0 and $HOST ne "example.com"} {
log local0. [concat "Host did not match whitelist: " $HOST]
set FAIL 1
}
# Discard requests that set FAIL
if {$FAIL != 0} {
TCP::close
return
}
# Log success
log local0. [concat "SSO_ORIG_URI validated for host: " $HOST]
}
5. Click Finished.
6. Click Virtual Servers.
7. In the Name box, click the name of the affected virtual server.
8. Click the Resources tab.
9. In the iRules section, click Manage.
10. To move the iRule to the Enabled column, from the Available column, select
the iRule you previously created and then click the << button.
11. Click Finished.
Supplemental Information
SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated documents
SOL4918: Overview of the F5 critical issue hotfix policy
SOL167: Downloading software and firmware from F5
SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)
SOL9502: BIG-IP hotfix matrix
SOL6664: Obtaining and installing OPSWAT hotfixes
SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV19skox+lLeg9Ub1AQhYrA/9G4jT5PlNr9Sqjb/6yonmqlVzSUOG2PJQ
dKYB9Mn9uBHdP8xZEiBL6hfazfsBA3hw/euOtBir5VrJoag0zjx61eoshxjW5FfF
+dZ+HP0HRF2pUcKl3lajaDraXQp3hnIdNpyYFdmMRV5INUjyX5PPsbLFdTaEc30u
XnxHpdcHTnexHA7PYSpP3g8wNb2vuKUF6/G8QnefOEPI7OLE5bVAIX1cdi8Bi9+A
tlHIaUDxnzJIsprZTAvstqIIxeRM/RupyLkb0QOfsgt8PxOndg+9zHiZSdFzrneR
AF+RX1NUONTcBfwZj0GC06HazM22hukWayHMsr/RbYfEnL79Sb2i5O6vHTNkVuaB
VNn2K9Xhz2N3NwF9hqKywMyoo8wrX4n1yE3BIER4FNqZGmQ3jFxd6TxKHe5LVEVP
r9YEP0CIF6V87kk0riry18V8q67yebN4ilvWxAzfuRjkzto4G5ys9/+NjuO5CkXV
9q/tKkZzICZ90IMCx68jFcrsS3zvbNfz+Bo+h2myrm6Jodv0iR3Rj5r9gi5uKU9C
pCNZXJjxNaRTDJCJ0BzSwicAL02kKyZMKMbrkprRJxZHKEggk8TdFs3jdiVQJw5D
obC6arhNBvuYCP1UQdhhXXhsET+4CdTyGrE3lp5KzslSag5gDEc+IEu2vDvng+4T
hD8e58fuWYE=
=AojU
-----END PGP SIGNATURE-----