Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3283 A specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member webserver (HTTP Desync Attack) 29 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Provide Misleading Information -- Remote/Unauthenticated Resolution: Mitigation Original Bulletin: https://support.f5.com/csp/article/K50375550 Comment: This is an HTTP request smuggling weakness with no current fix, only mitigation steps. - --------------------------BEGIN INCLUDED TEXT-------------------- K50375550: A specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member webserver (HTTP Desync Attack) Security Advisory Original Publication Date: 29 Aug, 2019 Security Advisory Description A specifically crafted HTTP request that contains Content-Length and Transfer-Encoding headers may lead the BIG-IP system to pass malformed HTTP requests to a target pool member webserver. This issue occurs when the following condition is met: o The malformed HTTP requests are processed by a virtual server configured with an HTTP profile. The specific scenario described by this Advisory occurs when, and only when: o The client sends a series of specifically crafted, malformed HTTP requests that do not conform to HTTP RFCs (for example, RFC7230, RFC2616 etc). o The target pool member webserver also accepts and processes these requests, despite their non-conformance to RFCs. In this scenario, the vulnerable pool member webserver may interpret the stream of requests differently to the BIG-IP system and may take unintended actions based on the stream of requests. Impact The malformed HTTP requests may be passed to the pool member webserver and, depending on the behavior of the pool member webserver, may allow an HTTP Request Smuggling attack to take place against the pool member webserver. Additionally, when the affected virtual server is configured with the OneConnect profile, an attacker may be able to send specifically crafted requests in a client-side TCP stream and impact the responses sent to a legitimate client in another client-side TCP stream. Symptoms As a result of this issue, you may encounter one or more of the following symptoms: o Depending on the client requests and HTTP RFC compliance of the target pool member webserver, the pool member webserver may interpret the client requests differently and perform unintended actions. o With OneConnect configured for the affected HTTP virtual server, a legitimate client may experience effects of an HTTP Request Smuggling attack. Security Advisory Status F5 Product Development has assigned ID 761185 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table. +--------------------+-------------------+----------------+ |Type of fix |Fixes introduced in|Related articles| +--------------------+-------------------+----------------+ |Release |None |None | +--------------------+-------------------+----------------+ |Point release/hotfix|None |None | +--------------------+-------------------+----------------+ Security Advisory Recommended Actions Workaround Depending on your BIG-IP configuration and features available, you may consider using one of the following mitigation methods: o Modifying or disabling the OneConnect profile o Blocking malformed HTTP requests using BIG-IP ASM / Advanced WAF Modifying or disabling the OneConnect profile If the affected virtual server is configured with the OneConnect profile, you should consider adjusting the Source Prefix Length or Source Mask (11.x) setting of the OneConnect profile to prevent aggregation of HTTP requests from separate client-side TCP streams into the same server-side connection. Alternatively, you may consider disabling OneConnect for specific connections using an iRule or removing it entirely on the affected virtual server if your application environment permits. For information about using an iRule to disable OneConnect, refer to the ONECONNECT iRule command on DevCentral. Impact of workaround: Depending on your application environment, adjusting the value of the Source Prefix Length or Source Mask setting of the OneConnect profile may impact optimal connection re-use, while disabling OneConnect may impact performance. For additional information, refer to K7208: Overview of the OneConnect profile. Performing these actions on the OneConnect profile prevents the HTTP requests aggregation thus mitigating the risk of an attacker interacting with a legitimate client; however it does not prevent the target pool member webserver from being subjected to potential HTTP Request Smuggling attacks. As a result, this may not be a complete mitigation and you may need to apply HTTP RFC compliancy checks using BIG-IP ASM / Advanced WAF (AWAF) in addition to this step. Blocking malformed HTTP requests using BIG-IP ASM / Advanced WAF If the affected BIG-IP system is licensed and provisioned with BIG-IP ASM / AWAF, you should consider configuring an appropriate BIG-IP ASM / AWAF security policy to block malformed HTTP requests. To do so, ensure that you have configured the following for your BIG-IP ASM / AWAF security policy: Impact of workaround: Performing the following procedure should not have a negative impact on your system. 1. Ensure the HTTP protocol compliance failed violation is set to Block with the following subviolations enabled: Several Content-Length headers Chunked request with Content-Length header Unparsable request content For more information about viewing and enabling these subviolations, refer to K10280: Overview of BIG-IP ASM HTTP protocol compliance. 2. Ensure the following BIG-IP ASM / AWAF signatures are enabled: HTTP Response Splitting (1)(Parameter), ID 200023001 HTTP Response Splitting (2)(Parameter), ID 200023002 HTTP Response Splitting (3)(Parameter), ID 200023003 HTTP Response Splitting (4)(Parameter), ID 200023004 Non-standard Transfer-Encoding header value, ID 200200002 (BIG-IP ASM 11.x only) For information about working with attack signatures, refer to K12885: Working with BIG-IP ASM attack signatures. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXWdZp2aOgq3Tt24GAQi43g/+KDJlnmXthgdCTfXtL4tf7KfggM07P6Re sE8YGcWXolo2KqeJ5LY43/yqfLHhKbPPiO8Hh8wFLrWaT5pdG7lci04GZBI7RNHm p5i+Oo/NlfsFK5L65FX62PUR7ec+wfg41QL6EIubIJp3anPlGqBJi2AdT0jX1EsZ HYvBeGyknRUfgeTje/nKooE2TdtSxuQQzanjLFCuAkIkip2gAMz+NVpVo+12+EgN TIbJKljHvZuBybN0T18RoRBVF5xiacgLgzeC1HN2THOqcmJkjB1TYbL4l2P6vpZp l0btV6TTfkG0oJziwEkeaHeMso2uQW4UD+vkQ/eUuscUlcWYnUgfIHjYlxqOdRqp PU030Go87tETlfVXXea9bJNXEXLLHUDDdCJEoS6HZ7h5FDlglUr7Qtugt+lK4XxS SMhIkDxAOy8WkcAtsayPylb6x2aEfD47ekiOpvlshJ5QtsY9QQ07thp5nNHUREhz 6sjj4fLwdnCYefsR6A+5ceSZFIDDzSdhx7WjUsI8WwelADa63inLzgJfbm3mwAl+ rWxEf5bsC6D9ePO6ThuBb7FIptIlO8UiGb/d8bMtqoje/E9tiqDjTVvyYeAducbF hMK8t0G5/yKM36CTnavqFPTMv9kGpY4JQ+eYLk9YqOIU03lZxLyzgbzbzvvNwOJz iRQ2EQ45x8o= =ywlp -----END PGP SIGNATURE-----