-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.3006
               BIG-IP TMM iRules vulnerability CVE-2016-5024
                             16 December 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5024  

Original Bulletin: 
   http://support.f5.com/kb/en-us/solutions/public/k/92/sol92859602.html

- --------------------------BEGIN INCLUDED TEXT--------------------

K92859602: BIG-IP TMM iRules vulnerability CVE-2016-5024

Security Advisory

Original Publication Date: Dec 16, 2016

Updated Date: Dec 16, 2016

Applies to (see versions):

Vulnerability Description

On a BIG-IP LTM with a virtual server configured to parse RADIUS messages via
an iRule, a remote attacker may be able to cause TMM to restart using 
malicious network traffic. (CVE-2016-5024)

Impact

On a BIG-IP system that is configured for high-availability, this 
vulnerability would result in a failover event and may temporarily disrupt 
services. Where no failover device is available, traffic would be disrupted 
until the Traffic Management Microkernel (TMM) process has restarted.

Security Issue Status

F5 Product Development has assigned ID 593447 (BIG-IP) to this vulnerability.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:

Product 		Versions known to be 	Versions known to be not	Severity 	Vulnerable component or 
			vulnerable  		vulnerable 			feature

BIG-IP LTM 		12.1.0 - 12.1.1		12.1.2				Medium 		Radius::AVP iRules
			11.6.1 			12.0.0
						11.6.1 HF1
						11.4.0 - 11.6.0
						11.2.1
						10.2.1 - 10.2.4 

BIG-IP AAM 		12.1.0 - 12.1.1		12.1.2				Medium 		Radius::AVP iRules
			11.6.1 			12.0.0
						11.6.1 HF1
						11.4.0 - 11.6.0 

BIG-IP AFM 		12.1.0 - 12.1.1		12.1.2				Medium 		Radius::AVP iRules
			11.6.1 			12.0.0
			11.6.1 HF1
			11.4.0 - 11.6.0 M

BIG-IP Analytics 	12.1.0 - 12.1.1		12.1.2				Medium 		Radius::AVP iRules
			11.6.1 			12.0.0
						11.6.1 HF1
						11.4.0 - 11.6.0
						11.2.1 

BIG-IP APM 		12.1.0 - 12.1.1		12.1.2				Medium 		Radius::AVP iRules
			11.6.1 			12.0.0
						11.6.1 HF1
						11.4.0 - 11.6.0
						11.2.1
						10.2.1 - 10.2.4 

BIG-IP ASM 		12.1.0 - 12.1.1		12.1.2				Medium 		Radius::AVP iRules

			11.6.1 			12.0.0
						11.6.1 HF1
						11.4.0 - 11.6.0
						11.2.1
						10.2.1 - 10.2.4 

BIG-IP DNS 		12.1.0 - 12.1.1 	12.1.2				Medium 		Radius::AVP iRules
						12.0.0 

BIG-IP Edge Gateway 	None 			11.2.1				Not 		None
						10.2.1 - 10.2.4 		vulnerable 
			
BIG-IP GTM 		11.6.1 			11.6.1 HF1			Medium 		Radius::AVP iRules
						11.4.0 - 11.6.0
						11.2.1
						10.2.1 - 10.2.4 

BIG-IP Link Controller 	12.1.0 - 12.1.1		12.1.2				Medium 		Radius::AVP iRules
			11.6.1 			12.0.0
						11.6.1 HF1
						11.4.0 - 11.6.0
						11.2.1
						10.2.1 - 10.2.4 

BIG-IP PEM 		12.1.0 - 12.1.1		12.1.2				edium 		Radius::AVP iRules
			11.6.1 			12.0.0
						11.6.1 HF1
						11.4.0 - 11.6.0
						None M

BIG-IP PSM 		None 			11.4.0 - 11.4.1			Not vulnerable 	None
						10.2.1 - 10.2.4 

BIG-IP WebAccelerator 	None 			11.2.1				Not vulnerable 	None
						10.2.1 - 10.2.4 

BIG-IP WOM 		None 			11.2.1	 			Not vulnerable 	None
						10.2.1 - 10.2.4

ARX 			None 			6.2.0 - 6.4.0 			Not vulnerable 	None

Enterprise Manager 	None 			3.1.1 				Not vulnerable 	None

FirePass 		None 			7.0.0 				Not vulnerable 	None

BIG-IQ Cloud 		None 			4.0.0 - 4.5.0 			Not vulnerable 	None

BIG-IQ Device 		None 			4.2.0 - 4.5.0 			Not vulnerable 	None

BIG-IQ Security 	None 			4.0.0 - 4.5.0 			Not vulnerable 	None

BIG-IQ ADC 		None 			4.5.0 				Not vulnerable 	None

BIG-IQ Centralized 	None 			5.0.0 				Not vulnerable 	None
Management 

BIG-IQ Cloud and	None 			1.0.0 				Not vulnerable 	None 
Orchestration 

F5 iWorkflow 		None 			2.0.0 				Not vulnerable 	None

LineRate 		None 			2.5.0 - 2.6.1 			Not vulnerable 	None

F5 MobileSafe 		None 			1.0.0 				Not vulnerable 	None

F5 WebSafe 		None 			1.0.0 				Not vulnerable 	None

Traffix SDC 		None 			5.0.0				Not vulnerable 	None
						4.0.0 - 4.4.0 

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable 
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a 
non-vulnerable version, then no upgrade candidate currently exists.

There is no mitigation available while using the RADIUS::AVP iRule command.

Supplemental Information

K9970: Subscribing to email notifications regarding F5 products

K9957: Creating a custom RSS feed to view new and updated documents

K4602: Overview of the F5 security vulnerability response policy

K4918: Overview of the F5 critical issue hotfix policy

K167: Downloading software and firmware from F5

K13123: Managing BIG-IP product hotfixes (11.x - 12.x)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWFOf44x+lLeg9Ub1AQiHLxAAiAFZThkvfztDgpzGS0nA4Nu4jS53BSd2
Q2TcviNwj0M8WGxiU8rhreOmAZcqM76xqnrYNA3j12WWO9YbbwOK5HZaHeRyJH/C
/mJCaD1jQ5SlSsR7x09rU+R+Vs9PfGLkbsfMjZRRXj6q5qVSQxhCh7OgJGbZhaSP
V0btjIbeSqItxii2fwCrMXCQFR5Vfnr8FJ+L/mc9xmvdTkzvp1h8VXkRlKhwu4nG
m8foep4efGZspNJxm3sTv/griVakk6UdSb9I4rDi1TpcfsLXh4ixgwlnRJafLes1
pbsHUpc3mskT/Txc8tBTNNp90GuQGHZXpPcxFF2sLLFpawXe1e9fM8liXifiS9sD
g9O8YK1is0JT4Hxj3y88LASvNlbhZ7zBHlTN+tLinyA3jYrw137nnYYCte+SRot1
AQOqqFbbZWBMseJRhONiwMb07a2GBUkQcNgop5WYbXfzROSgAoaw4tjHQUgFYg8q
kdAl62tlvZ3ufkFeX3gIhYELSm2gHUnykAAH5M2sj79pEVZUwupFkHbj3pZw5w4X
09gXvqVTuVa0RYXLa1ATW4IIOmPDp6XCxI0ywPup1wk9x3u1Az8RmO3ruuUhcv+4
z9aDp/kGu3QYRr/kMHZI5/PkSwnMMfMCatQcvWiDLPGNp0cVbnLIuVS+hPMdsUEM
2hmZgC6hrEc=
=O/KY
-----END PGP SIGNATURE-----