-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3283
  A specifically crafted HTTP request may lead the BIG-IP system to pass
         malformed HTTP requests to a target pool member webserver
                           (HTTP Desync Attack)
                              29 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Mitigation

Original Bulletin: 
   https://support.f5.com/csp/article/K50375550

Comment: This is an HTTP request smuggling weakness with no current fix,
         only mitigation steps.

- --------------------------BEGIN INCLUDED TEXT--------------------

K50375550: A specifically crafted HTTP request may lead the BIG-IP system to
pass malformed HTTP requests to a target pool member webserver (HTTP Desync Attack)

Security Advisory

Original Publication Date: 29 Aug, 2019

Security Advisory Description

A specifically crafted HTTP request that contains Content-Length and
Transfer-Encoding headers may lead the BIG-IP system to pass malformed HTTP
requests to a target pool member webserver.

This issue occurs when the following condition is met:

  o The malformed HTTP requests are processed by a virtual server configured
    with an HTTP profile.

The specific scenario described by this Advisory occurs when, and only when:

  o The client sends a series of specifically crafted, malformed HTTP requests
    that do not conform to HTTP RFCs (for example, RFC7230, RFC2616 etc).
  o The target pool member webserver also accepts and processes these requests,
    despite their non-conformance to RFCs.

In this scenario, the vulnerable pool member webserver may interpret the stream
of requests differently to the BIG-IP system and may take unintended actions
based on the stream of requests.

Impact

The malformed HTTP requests may be passed to the pool member
webserver and, depending on the behavior of the pool member webserver, may
allow an HTTP Request Smuggling attack to take place against the pool member
webserver. Additionally, when the affected virtual server is configured with
the OneConnect profile, an attacker may be able to send specifically crafted
requests in a client-side TCP stream and impact the responses sent to a
legitimate client in another client-side TCP stream.

Symptoms

As a result of this issue, you may encounter one or more of the following
symptoms:

  o Depending on the client requests and HTTP RFC compliance of the target pool
    member webserver, the pool member webserver may interpret the client
    requests differently and perform unintended actions.
  o With OneConnect configured for the affected HTTP virtual server, a
    legitimate client may experience effects of an HTTP Request Smuggling
    attack.

Security Advisory Status

F5 Product Development has assigned ID 761185 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+--------------------+-------------------+----------------+
|Type of fix         |Fixes introduced in|Related articles|
+--------------------+-------------------+----------------+
|Release             |None               |None            |
+--------------------+-------------------+----------------+
|Point release/hotfix|None               |None            |
+--------------------+-------------------+----------------+

Security Advisory Recommended Actions

Workaround

Depending on your BIG-IP configuration and features available, you may consider
using one of the following mitigation methods:

  o Modifying or disabling the OneConnect profile
  o Blocking malformed HTTP requests using BIG-IP ASM / Advanced WAF

Modifying or disabling the OneConnect profile

If the affected virtual server is configured with the OneConnect profile, you
should consider adjusting the Source Prefix Length or Source Mask (11.x)
setting of the OneConnect profile to prevent aggregation of HTTP requests from
separate client-side TCP streams into the same server-side connection.
Alternatively, you may consider disabling OneConnect for specific connections
using an iRule or removing it entirely on the affected virtual server if your
application environment permits. For information about using an iRule to
disable OneConnect, refer to the ONECONNECT iRule command on DevCentral.

Impact of workaround:  Depending on your application environment, adjusting the
value of the Source Prefix Length or Source Mask setting of the OneConnect
profile may impact optimal connection re-use, while disabling OneConnect may
impact performance. For additional information, refer to K7208: Overview of the
OneConnect profile.

Performing these actions on the OneConnect profile prevents the HTTP requests
aggregation thus mitigating the risk of an attacker interacting with a
legitimate client; however it does not prevent the target pool member webserver
from being subjected to potential HTTP Request Smuggling attacks. As a
result, this may not be a complete mitigation and you may need to apply HTTP
RFC compliancy checks using BIG-IP ASM / Advanced WAF (AWAF) in addition to
this step.

Blocking malformed HTTP requests using BIG-IP ASM / Advanced WAF

If the affected BIG-IP system is licensed and provisioned with BIG-IP ASM /
AWAF, you should consider configuring an appropriate BIG-IP ASM / AWAF security
policy to block malformed HTTP requests. To do so, ensure that you have
configured the following for your BIG-IP ASM / AWAF security policy: 

Impact of workaround: Performing the following procedure should not have a
negative impact on your system.

 1. Ensure the HTTP protocol compliance failed violation is set to Block with
    the following subviolations enabled:
       Several Content-Length headers
       Chunked request with Content-Length header
       Unparsable request content

    For more information about viewing and enabling these subviolations, refer
    to K10280: Overview of BIG-IP ASM HTTP protocol compliance.

 2. Ensure the following BIG-IP ASM / AWAF signatures are enabled:
       HTTP Response Splitting (1)(Parameter), ID 200023001
       HTTP Response Splitting (2)(Parameter), ID 200023002
       HTTP Response Splitting (3)(Parameter), ID 200023003
       HTTP Response Splitting (4)(Parameter), ID 200023004
       Non-standard Transfer-Encoding header value, ID 200200002 (BIG-IP ASM
        11.x only)

    For information about working with attack signatures, refer to K12885:
    Working with BIG-IP ASM attack signatures.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXWdZp2aOgq3Tt24GAQi43g/+KDJlnmXthgdCTfXtL4tf7KfggM07P6Re
sE8YGcWXolo2KqeJ5LY43/yqfLHhKbPPiO8Hh8wFLrWaT5pdG7lci04GZBI7RNHm
p5i+Oo/NlfsFK5L65FX62PUR7ec+wfg41QL6EIubIJp3anPlGqBJi2AdT0jX1EsZ
HYvBeGyknRUfgeTje/nKooE2TdtSxuQQzanjLFCuAkIkip2gAMz+NVpVo+12+EgN
TIbJKljHvZuBybN0T18RoRBVF5xiacgLgzeC1HN2THOqcmJkjB1TYbL4l2P6vpZp
l0btV6TTfkG0oJziwEkeaHeMso2uQW4UD+vkQ/eUuscUlcWYnUgfIHjYlxqOdRqp
PU030Go87tETlfVXXea9bJNXEXLLHUDDdCJEoS6HZ7h5FDlglUr7Qtugt+lK4XxS
SMhIkDxAOy8WkcAtsayPylb6x2aEfD47ekiOpvlshJ5QtsY9QQ07thp5nNHUREhz
6sjj4fLwdnCYefsR6A+5ceSZFIDDzSdhx7WjUsI8WwelADa63inLzgJfbm3mwAl+
rWxEf5bsC6D9ePO6ThuBb7FIptIlO8UiGb/d8bMtqoje/E9tiqDjTVvyYeAducbF
hMK8t0G5/yKM36CTnavqFPTMv9kGpY4JQ+eYLk9YqOIU03lZxLyzgbzbzvvNwOJz
iRQ2EQ45x8o=
=ywlp
-----END PGP SIGNATURE-----