Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1482 sol26738102: BIG-IP APM SSO vulnerability CVE-2016-3687 14 June 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP APM F5 BIG-IP Edge Gateway Publisher: F5 Networks Operating System: Virtualisation Network Appliance Impact/Access: Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-3687 Original Bulletin: https://support.f5.com/kb/en-us/solutions/public/k/26/sol26738102.html - --------------------------BEGIN INCLUDED TEXT-------------------- sol26738102: BIG-IP APM SSO vulnerability CVE-2016-3687 Security Advisory Original Publication Date: 06/13/2016 Vulnerability Description ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. (CVE-2016-3687) Insufficient validation of the SSO_ORIG_URI parameter occurs when using multi-domain single sign-on (SSO). Impact An attacker may be able to tamper with the URL used to redirect the user in a multi-domain SSO environment by using BIG-IP APM. Systems that do not have the BIG-IP APM module provisioned are not vulnerable. Security Issue Status F5 Product Development has assigned ID 526514 (BIG-IP) to this vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product Versions known to be vulnerable Versions known to be not vulnerable Severity Vulnerable component or feature BIG-IP LTM None 12.0.0 - 12.1.0 Not vulnerable None 11.4.0 - 11.6.1 11.2.1 10.2.1 - 10.2.4 BIG-IP AAM None 12.0.0 - 12.1.0 Not vulnerable None 11.4.0 - 11.6.1 BIG-IP AFM None 12.0.0 - 12.1.0 Not vulnerable None 11.4.0 - 11.6.1 BIG-IP Analytics None 12.0.0 - 12.1.0 Not vulnerable None 11.4.0 - 11.6.1 11.2.1 BIG-IP APM 11.4.0 - 11.6.0 12.0.0 - 12.1.0 Medium Multi-domain SSO 11.2.1 11.6.1 11.6.0 HF6 10.2.1 - 10.2.4 BIG-IP ASM None 12.0.0 - 12.1.0 Not vulnerable None 11.4.0 - 11.6.1 11.2.1 10.2.1 - 10.2.4 BIG-IP DNS None 12.0.0 - 12.1.0 Not vulnerable None BIG-IP Edge Gateway 11.2.1 10.2.1 - 10.2.4 Medium Multi-domain SSO BIG-IP GTM None 11.4.0 - 11.6.1 Not vulnerable None 11.2.1 10.2.1 - 10.2.4 BIG-IP Link Controller None 12.0.0 - 12.1.0 Not vulnerable None 11.4.0 - 11.6.1 11.2.1 10.2.1 - 10.2.4 BIG-IP PEM None 12.0.0 - 12.1.0 Not vulnerable None 11.4.0 - 11.6.1 BIG-IP PSM None 11.4.0 - 11.4.1 Not vulnerable None 10.2.1 - 10.2.4 BIG-IP WebAccelerator None 11.2.1 Not vulnerable None 10.2.1 - 10.2.4 BIG-IP WOM None 11.2.1 Not vulnerable None 10.2.1 - 10.2.4 ARX None 6.2.0 - 6.4.0 Not vulnerable None Enterprise Manager None 3.1.1 Not vulnerable None FirePass None 7.0.0 Not vulnerable None BIG-IQ Cloud None 4.0.0 - 4.5.0 Not vulnerable None BIG-IQ Device None 4.2.0 - 4.5.0 Not vulnerable None BIG-IQ Security None 4.0.0 - 4.5.0 Not vulnerable None BIG-IQ ADC None 4.5.0 Not vulnerable None BIG-IQ Centralized Management None 4.6.0 Not vulnerable None BIG-IQ Cloud and Orchestration None 1.0.0 Not vulnerable None LineRate None 2.5.0 - 2.6.1 Not vulnerable None F5 MobileSafe None 1.0.0 Not vulnerable None F5 WebSafe None 1.0.0 Not vulnerable None Traffix SDC None 5.0.0 Not vulnerable None 4.0.0 - 4.4.0 Vulnerability Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy. To mitigate this vulnerability, you can use an iRule to verify the target URL provided in the request. In the following procedure, the example iRule verifies the value of the SSO_ORIG_URI parameter based on a target host that you specify. After you determine an acceptable target host that is based on your configuration, you must define the target host in the WHITELIST section of the iRule. If the host in the request does not match the defined target host, the request is discarded and the connection is closed. To configure the iRule and associate it with a virtual server, perform the following procedure: Note: The following example is configured to allow requests when the host portion matches example.com. You must replace example.com in the WHITELIST section with an acceptable target host, based on your configuration. Impact of action: The following iRule generates logging which is purely informational. The logging level can be reduced without affecting functionality. 1. Log in to the Configuration utility. 2. Navigate to Local Traffic > iRules > Create. 3. In the Name box, type a name for the iRule. For example: multi_domain_sso_redirect 4. In the Definition box, enter the following text replacing example.com with your target host: when HTTP_REQUEST { # Exit this event if the request isn't a GET if {[HTTP::method] ne "GET"}{return} # Exit this event if the request does not contain the SSO_ORIG_URI query parameter set QUERY_URI [URI::query [HTTP::uri] SSO_ORIG_URI] if {$QUERY_URI eq ""}{return} # Track failures set FAIL 0 # Decode the parameter if {$FAIL == 0 and [catch {b64decode $QUERY_URI} DECODED_URI] != 0 or $DECODED_URI eq ""} { log local0. [concat "Could not decode SSO_ORIG_URI: " $QUERY_URI] set FAIL 1 } # Parse and case-fold the host portion if {$FAIL == 0 and [scan $DECODED_URI {%[^:/]://%[^/]} PROTO HOST] != 2} { log local0. [concat "Could parse decoded URI: " $DECODED_URI] set FAIL 1 } set HOST [string tolower $HOST] # WHITELIST Compare HOST to user defined target host(s). if {$FAIL == 0 and $HOST ne "example.com"} { log local0. [concat "Host did not match whitelist: " $HOST] set FAIL 1 } # Discard requests that set FAIL if {$FAIL != 0} { TCP::close return } # Log success log local0. [concat "SSO_ORIG_URI validated for host: " $HOST] } 5. Click Finished. 6. Click Virtual Servers. 7. In the Name box, click the name of the affected virtual server. 8. Click the Resources tab. 9. In the iRules section, click Manage. 10. To move the iRule to the Enabled column, from the Available column, select the iRule you previously created and then click the << button. 11. Click Finished. Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4918: Overview of the F5 critical issue hotfix policy SOL167: Downloading software and firmware from F5 SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x) SOL9502: BIG-IP hotfix matrix SOL6664: Obtaining and installing OPSWAT hotfixes SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV19skox+lLeg9Ub1AQhYrA/9G4jT5PlNr9Sqjb/6yonmqlVzSUOG2PJQ dKYB9Mn9uBHdP8xZEiBL6hfazfsBA3hw/euOtBir5VrJoag0zjx61eoshxjW5FfF +dZ+HP0HRF2pUcKl3lajaDraXQp3hnIdNpyYFdmMRV5INUjyX5PPsbLFdTaEc30u XnxHpdcHTnexHA7PYSpP3g8wNb2vuKUF6/G8QnefOEPI7OLE5bVAIX1cdi8Bi9+A tlHIaUDxnzJIsprZTAvstqIIxeRM/RupyLkb0QOfsgt8PxOndg+9zHiZSdFzrneR AF+RX1NUONTcBfwZj0GC06HazM22hukWayHMsr/RbYfEnL79Sb2i5O6vHTNkVuaB VNn2K9Xhz2N3NwF9hqKywMyoo8wrX4n1yE3BIER4FNqZGmQ3jFxd6TxKHe5LVEVP r9YEP0CIF6V87kk0riry18V8q67yebN4ilvWxAzfuRjkzto4G5ys9/+NjuO5CkXV 9q/tKkZzICZ90IMCx68jFcrsS3zvbNfz+Bo+h2myrm6Jodv0iR3Rj5r9gi5uKU9C pCNZXJjxNaRTDJCJ0BzSwicAL02kKyZMKMbrkprRJxZHKEggk8TdFs3jdiVQJw5D obC6arhNBvuYCP1UQdhhXXhsET+4CdTyGrE3lp5KzslSag5gDEc+IEu2vDvng+4T hD8e58fuWYE= =AojU -----END PGP SIGNATURE-----