Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4496.4 Security fixes for F5 BIG-IP products 13 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-6673 CVE-2019-6672 CVE-2019-6671 CVE-2019-6669 CVE-2019-6667 CVE-2019-6666 CVE-2019-6665 Original Bulletin: https://support.f5.com/csp/article/K82781208 https://support.f5.com/csp/article/K79240502 https://support.f5.com/csp/article/K92411323 https://support.f5.com/csp/article/K26462555 https://support.f5.com/csp/article/K39794285 https://support.f5.com/csp/article/K14703097 https://support.f5.com/csp/article/K11447758 https://support.f5.com/csp/article/K39225055 https://support.f5.com/csp/article/K24241590 https://support.f5.com/csp/article/K81557381 Revision History: February 13 2020: Vendor updated advisory K11447758 with updated fix details December 20 2019: Added updated K92411323 December 16 2019: Added updated K82781208 November 27 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K82781208:BIG-IP FIX profile vulnerability CVE-2019-6667 Security Advisory Original Publication Date: 27 Nov, 2019 Latest Publication Date: 14 Dec, 2019 Security Advisory Description On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.1.0-13.1.1.5, 12.1.0-12.1.4.1, and 11.5.1-11.6.5, under certain conditions, TMM may consume excessive resources when processing traffic for a Virtual Server with the FIX (Financial Information eXchange) profile applied. (CVE-2019-6667) Impact This vulnerability may result in a denial-of-service (DoS) attack on the affected BIG-IP system due to resource exhaustion. The affected BIG-IP system temporarily will fail to process traffic as it recovers from a Traffic Management Microkernel (TMM) restart, and devices configured in a device group may fail over. Security Advisory Status F5 Product Development has assigned ID 758065 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |15.x |15.0.0 - |15.1.0 | | | | | | |15.0.1 |15.0.1.1 | | | | | +------+----------+----------+ | | | |BIG-IP (LTM, AAM, |14.x |14.1.0 |14.1.0.6 | | | | |AFM, Analytics, | |14.0.0 |14.0.0.5 | | | | |APM, ASM, DNS, Edge+------+----------+----------+ | | | |Gateway, FPS, GTM, |13.x |13.1.0 - |13.1.3 |High |7.5 |FIX | |Link Controller, | |13.1.1 | | | |profile | |PEM, +------+----------+----------+ | | | |WebAccelerator) |12.x |12.1.0 - |12.1.5 | | | | | | |12.1.4 | | | | | | +------+----------+----------+ | | | | |11.x |11.5.1^2 -|11.6.5.1 | | | | | | |11.6.5 | | | | | +-------------------+------+----------+----------+----------+------+----------+ |Enterprise Manager |3.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ | |6.x |None |Not | | | | |BIG-IQ Centralized | | |applicable|Not | | | |Management +------+----------+----------+vulnerable|None |None | | |5.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |F5 iWorkflow |2.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ | |5.x |None |Not | | | | | | | |applicable|Not | | | |Traffix SDC +------+----------+----------+vulnerable|None |None | | |4.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. ^2F5 will not be developing a fix for the 11.5.x software branches, and this table will not be updated with subsequent vulnerable releases in these branches. For more information, refer to K4602: Overview of the F5 security vulnerability response policy. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation None - -------------------------------------------------------------------------------- K79240502: BIG-IP ASM Bot Detection DNS cache does not expire security exposure Original Publication Date: 27 Nov, 2019 Security Advisory Description When BIG-IP ASM Bot Detection is configured, the BIG-IP ASM system performs a reverse DNS lookup to determine if bot traffic classified as legitimate is, in fact, from those services (for example, Google). These DNS responses are cached indefinitely (until the Traffic Management Microkernel [TMM] or unit is restarted) and do not expire. Therefore, if a malicious entity is able to inject an invalid DNS response back to the BIG-IP system before the legitimate DNS server responds, or the legitimate DNS response is corrupted in flight, the invalid record will be cached indefinitely. This issue occurs when all of the following conditions are met: o BIG-IP ASM Bot Detection is configured. o The BIG-IP ASM is configured to use an untrusted DNS resolver. o The BIG-IP ASM security policy is processing traffic. Impact If a malicious actor is able to inject invalid DNS responses, bots that would normally be classified as legitimate may be classified as malicious, causing Bot Detection to take action per the policy configuration against traffic that would otherwise be allowed. Symptoms As a result of this issue, you may encounter one or more of the following symptoms: o Invalid DNS responses are indefinitely cached by the BIG-IP ASM system. o Bots normally classified as legitimate may be classified as malicious. Security Advisory Status F5 Product Development has assigned ID 761231 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table. +------------------+-----------------+----------------------------------------+ |Type of fix |Fixes introduced |Related articles | | |in | | +------------------+-----------------+----------------------------------------+ |Release |13.1.3 |K2200: Most recent versions of F5 | | |12.1.5 |software | +------------------+-----------------+----------------------------------------+ |Point release/ |15.0.1.1 |K9502: BIG-IP hotfix and point release | |hotfix |14.1.0.6 |matrix | | |14.0.0.5 | | +------------------+-----------------+----------------------------------------+ Security Advisory Recommended Actions Mitigation On fixed versions, cached DNS responses now expire and a malicious actor would need to continually inject invalid responses to maintain disruption. The default expiry time across all versions is 300 seconds. The expire time is fixed and cannot be modified. F5 recommends, as a best practice, that you use a trusted DNS server for lookups (for example, one hosted within your own secure infrastructure) and that you make queries only across a trusted, controlled network. Following this practice will effectively mitigate the risk of a bad actor being able to inject malicious DNS responses between the BIG-IP ASM system and the configured DNS server. - -------------------------------------------------------------------------------- K92411323:BIG-IP AAM vulnerability CVE-2019-6666 Security Advisory Original Publication Date: 27 Nov, 2019 Latest Publication Date: 20 Dec, 2019 Security Advisory Description The TMM process may produce a core file when an upstream server or cache sends the BIG-IP system an invalid age header value. (CVE-2019-6666) Impact The BIG-IP system temporarily fails to process traffic as it recovers from a Traffic Management Microkernel (TMM) restart, and devices configured in a device group may fail over. Security Advisory Status F5 Product Development has assigned ID 753975 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |15.x |15.0.0 - |15.1.0 | | | | | | |15.0.1 |15.0.1.1 | | | | | +------+----------+----------+ | | | | | |14.1.0 |14.1.2 | | | | |BIG-IP (LTM, AAM, |14.x |14.0.0 |14.1.0.6 | | | | |AFM, Analytics, | | |14.0.0.5 | | | | |APM, ASM, DNS, Edge+------+----------+----------+ | |AAM Ram | |Gateway, FPS, GTM, |13.x |13.0.0 - |13.1.1.5 |High |7.5 |Cache | |Link Controller, | |13.1.1 | | | | | |PEM, +------+----------+----------+ | | | |WebAccelerator) |12.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |Enterprise Manager |3.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ | |6.x |None |Not | | | | |BIG-IQ Centralized | | |applicable|Not | | | |Management +------+----------+----------+vulnerable|None |None | | |5.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |F5 iWorkflow |2.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ | |5.x |None |Not | | | | | | | |applicable|Not | | | |Traffix SDC +------+----------+----------+vulnerable|None |None | | |4.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation None Supplemental Information o K51812227: Understanding Security Advisory versioning o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - -------------------------------------------------------------------------------- K26462555:BIG-IP ASM and BIG-IQ/Enterprise Manager/F5 iWorkflow device authentication and trust vulnerability CVE-2019-6665 Original Publication Date: 27 Nov, 2019 Security Advisory Description An attacker with access to the device communication between the BIG-IP ASM Central Policy Builder and the BIG-IQ/Enterprise Manager/F5 iWorkflow will be able to set up the proxy the same way and intercept the traffic. (CVE-2019-6665 ) Impact BIG-IP ASM / BIG-IQ / Enterprise Manager / F5 iWorkflow With access to the authentication token, the attacker will be able to impersonate the BIG-IP ASM Central Policy Builder and send corrupted or incorrect suggestion data to the BIG-IQ/Enterprise Manager/F5 iWorkflow. This may lead to incorrect policy building suggestions or a partial denial-of-service (DoS). BIG-IP (LTM, AAM, AFM, Analytics, APM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) / Traffix SDC There is no impact; these F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has assigned ID 636400 (BIG-IP), ID 569250 (BIG-IQ), ID 693466 (Enterprise Manager), and ID 693474 (F5 iWorkflow) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. +---------------+------+----------+----------+----------+------+--------------+ | | |Versions |Fixes | |CVSSv3|Vulnerable | |Product |Branch|known to |introduced|Severity |score |gcomponent or | | | |be |in | | |feature | | | |vulnerable| | | | | +---------------+------+----------+----------+----------+------+--------------+ | |15.x |15.0.0 - |15.0.1.1 | | | | | | |15.0.1 | | | | | | +------+----------+----------+ | | | | | |14.1.0 - | | | | | | |14.x |14.1.2 |14.1.2.1 | | | | | | |14.0.0 - |14.0.1.1 | | | | | | |14.0.1 | | | |Device | |BIG-IP ASM +------+----------+----------+High |7.7 |authentication| | |13.x |13.1.0 - |13.1.3.2 | | |/trust | | | |13.1.3.1 | | | | | | +------+----------+----------+ | | | | |12.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +---------------+------+----------+----------+----------+------+--------------+ | |15.x |None |Not | | | | | | | |applicable| | | | |BIG-IP (LTM, +------+----------+----------+ | | | |AAM, AFM, |14.x |None |Not | | | | |Analytics, APM,| | |applicable| | | | |DNS, Edge +------+----------+----------+ | | | |Gateway, |13.x |None |Not |Not |None |None | |GTM, Link | | |applicable|vulnerable| | | |Controller, +------+----------+----------+ | | | |PEM, |12.x |None |Not | | | | |WebAccelerator,| | |applicable| | | | |WebSafe) +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +---------------+------+----------+----------+----------+------+--------------+ |Enterprise | | | | | |Device | |Manager |3.x |3.1.1 |None |High |7.7 |authentication| | | | | | | |/trust | +---------------+------+----------+----------+----------+------+--------------+ | |7.x |None |Not | | | | | | | |applicable| | | | |BIG-IQ +------+----------+----------+ | |Device | |Centralized |6.x |6.0.0 |6.1.0 |High |7.7 |authentication| |Management +------+----------+----------+ | |/trust | | |5.x |5.2.0 - |None | | | | | | |5.4.0 | | | | | +---------------+------+----------+----------+----------+------+--------------+ | | | | | | |Device | |F5 iWorkflow |2.x |2.3.0 |None |High |7.7 |authentication| | | | | | | |/trust | +---------------+------+----------+----------+----------+------+--------------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +---------------+------+----------+----------+----------+------+--------------+ Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Note: For details about how Security Advisory articles are versioned, and what versions are listed in the table, refer to K51812227: Understanding Security Advisory versioning. To determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems . Mitigation To mitigate this vulnerability, you should permit device communication between the affected devices only over a trusted and secure network. - -------------------------------------------------------------------------------- K39794285: The BIG-IP system may fail to properly parse HTTP headers that are prepended by whitespace (non RFC2616 compliant) Security Advisory Original Publication Date: 27 Nov, 2019 Security Advisory Description The BIG-IP system may fail to properly parse HTTP headers that are prepended by whitespace. This issue occurs when all of the following conditions are met: o A virtual server is associated with an HTTP profile. o The BIG-IP system receives a specially crafted HTTP request or response containing one or more headers with prepended whitespace that does not conform to RFC2616. When a browser communicates with a server over HTTP, it can split a long header into several lines by prepending continuation lines with leading white space (per RFC2616). This rule does not apply to the first line of the request (for example, the line containing request method, URI, etc. cannot be continued on a second line) and, therefore, having leading white space as the first characters of the first subsequent header lines is invalid. When a virtual server is configured with an associated HTTP profile, in affected versions, the BIG-IP system parses such a line as a header with an empty value. Impact The BIG-IP system can hide important HTTP headers, either passing those to the pool member, failing to properly handle the request (or response), or failing to correctly load balance a connection (or request in the case of having an associated OneConnect profile). The header preceeded by whitespace may not be accessible within an iRule, a Local Traffic Policy, or a similar mechanism. Symptoms As a result of this issue, you may encounter one or more of the following symptoms: o The BIG-IP system erroneously rejects an HTTP request that is interpreted to be missing one or more required headers (for example, the Host header). o The BIG-IP system performs invalid load balancing on an HTTP request that is interpreted to be missing hash cookie persistence. Security Advisory Status F5 Product Development has assigned ID 788325 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table. +------------------+-----------------+----------------------------------------+ |Type of fix |Fixes introduced |Related articles | | |in | | +------------------+-----------------+----------------------------------------+ |Release |None |None | +------------------+-----------------+----------------------------------------+ | |15.0.1.1 | | |Point release/ |14.1.2.1 |K9502: BIG-IP hotfix and point release | |hotfix |14.0.1.1 |matrix | | |13.1.3.2 | | | |11.6.5.1 | | +------------------+-----------------+----------------------------------------+ Security Advisory Recommended Actions Workaround There is no work around for this issue. Acknowledgements F5 would like to acknowledge the F5 DevCentral MVP Kai Wilke of itacs GmbH for bringing this issue to our attention, and for following the highest standards of responsible disclosure. - -------------------------------------------------------------------------------- K14703097: BIG-IP AFM vulnerability CVE-2019-6672 Original Publication Date: 27 Nov, 2019 Security Advisory Description When bad-actor detection is configured on a wildcard virtual server on platforms with hardware-based sPVA, the performance of the BIG-IP AFM system is degraded. (CVE-2019-6672) Impact The affected BIG-IP AFM system's CPU usage increases and may cause the legitimate network packets to be dropped or delayed. This reduces the threshold for a denial-of-service (DoS) attack. This does not affect BIG-IP VE deployments, as only the sPVA hardware implementation is affected. Security Advisory Status F5 Product Development has assigned ID 781449 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score |gcomponent | | | |be |in | | |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |15.x |15.0.0 - |15.0.1.1 | | | | | | |15.0.1 | | | | | | +------+----------+----------+ | | | | |14.x |14.1.0 - |14.1.2.1 | | | | | | |14.1.2 | | | | | |BIG-IP AFM +------+----------+----------+ | | | | |13.x |13.1.0 - |13.1.3.2 |Medium |5.9 |AFM | | | |13.1.3 | | | | | | +------+----------+----------+ | | | | |12.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ | |15.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | |BIG-IP (LTM, AAM, |14.x |None |Not | | | | |Analytics, APM, | | |applicable| | | | |ASM, DNS, Edge +------+----------+----------+ | | | |Gateway, FPS, GTM, |13.x |None |Not |Not |None |None | |Link Controller, | | |applicable|vulnerable| | | |PEM, +------+----------+----------+ | | | |WebAccelerator) |12.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |Enterprise Manager |3.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ | |7.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | |BIG-IQ Centralized |6.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+----------+----------+ | | | | |5.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |F5 iWorkflow |2.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation To avoid this vulnerability, you can configure the bad-actor filtering at the global context instead of at the wildcard virtual server context. - -------------------------------------------------------------------------------- K11447758:TMM vulnerability CVE-2019-6669 Security Advisory Original Publication Date: 27 Nov, 2019 Latest Publication Date: 11 Feb, 2020 Security Advisory Description Undisclosed traffic flow may cause the Traffic Management Microkernel (TMM) to restart under some circumstances. (CVE-2019-6669) Impact A remote attacker may be able to cause the Traffic Management Microkernel (TMM) to restart. This issue occurs on multi-blade chassis, including multi-blade vCMP guests. This issue does not occur on single-bladed systems, on BIG-IP Virtual Edition (VE), or on single-bladed vCMP guests. Security Advisory Status F5 Product Development has assigned ID 761014 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |15.x |15.0.0 - |15.1.0 | | | | | | |15.0.1 |15.0.1.1 | | | | | +------+----------+----------+ | | | | | |14.1.0 - | | | | | |BIG-IP (LTM, AAM, |14.x |14.1.2 |14.1.2.1 | | | | |AFM, Analytics, | |14.0.0 - |14.0.1.1 | | | | |APM, ASM, DNS, Edge| |14.0.1 | | | | | |Gateway, FPS, GTM, +------+----------+----------+Medium |6.5 |TMM | |Link Controller, |13.x |13.0.0 - |13.1.3.2 | | | | |PEM, | |13.1.3 | | | | | |WebAccelerator) +------+----------+----------+ | | | | |12.x |12.1.0 - |12.1.5.1 | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.5.2 - |None | | | | | | |11.6.5 | | | | | +-------------------+------+----------+----------+----------+------+----------+ |Enterprise Manager |3.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ | |6.x |None |Not | | | | |BIG-IQ Centralized | | |applicable|Not | | | |Management +------+----------+----------+vulnerable|None |None | | |5.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |F5 iWorkflow |2.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ | |5.x |None |Not | | | | | | | |applicable|Not | | | |Traffix SDC +------+----------+----------+vulnerable|None |None | | |4.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation None Supplemental Information o K51812227: Understanding Security Advisory versioning o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - -------------------------------------------------------------------------------- K39225055: BIG-IP TMM vulnerability CVE-2019-6671 Original Publication Date: 27 Nov, 2019 Security Advisory Description Under certain conditions, the Traffic Management Microkernel (TMM) may leak memory when processing packet fragments, leading to resource starvation.( CVE-2019-6671) Impact Resource starvation due to a memory leak may cause the Traffic Management Microkernel (TMM) to restart, leading to failover in a high availability (HA) environment. Security Advisory Status F5 Product Development has assigned ID 777737 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score |gcomponent | | | |be |in | | |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |15.x |15.0.0 - |15.0.1.1 | | | | | | |15.0.1 | | | | | | +------+----------+----------+ | | | | | |14.1.0 - | | | | | | |14.x |14.1.2 |14.1.2.1 | | | | |BIG-IP (LTM, AAM, | |14.0.0 - |14.0.1.1 | | | | |AFM, Analytics, | |14.0.1 | | | | | |APM, ASM, DNS, Edge+------+----------+----------+ | | | |Gateway, FPS, GTM, | |13.1.0 - | |Medium |5.9 |TMM | |Link Controller, |13.x |13.1.3 |13.1.3.2 | | | | |PEM, | | | | | | | |WebAccelerator) +------+----------+----------+ | | | | |12.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |Enterprise Manager |3.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ | |6.x |None |Not | | | | |BIG-IQ Centralized | | |applicable|Not | | | |Management +------+----------+----------+vulnerable|None |None | | |5.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |F5 iWorkflow |2.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation None - -------------------------------------------------------------------------------- K24241590: BIG-IP APM ignores the Restrict to Single Client IP option for Native RDP resources Original Publication Date: 27 Nov, 2019 Security Advisory Description This issue occurs when all of the following conditions are met: o You enable the Restrict to Single Client IP option in the Access profile. o Users access a native Remote Desktop Protocol (RDP) resource on the BIG-IP APM webtop. When launching a native RDP resource from the BIG-IP APM Webtop, the BIG-IP APM system provides an RDP file to the client browser and the client browser invokes the native RDP client to launch the resource with the parameters specified in the RDP file. When the Access profile Restrict to Single Client IP option is enabled, a user should only be allowed to launch the resource from the client that initiated the request. Impact An unauthorized client machine can launch an RDP session to a back-end resource server in an APM session. Symptoms As a result of this issue, you may encounter the following symptom: o With access to the RDP file that the BIG-IP APM provided (in another APM session), you can use the RDP file to launch an RDP session to a back-end resource server. Security Advisory Status F5 Product Development has assigned ID 769853 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table. +------------------+-----------------+----------------------------------------+ |Type of fix |Fixes introduced |Related articles | | |in | | +------------------+-----------------+----------------------------------------+ |Release |None |None | +------------------+-----------------+----------------------------------------+ |Point release/ |15.0.1.1 |K9502: BIG-IP hotfix and point release | |hotfix |14.1.2.1 |matrix | | |14.0.1.1 | | +------------------+-----------------+----------------------------------------+ Security Advisory Recommended Actions Workaround None - -------------------------------------------------------------------------------- K81557381: BIG-IP HTTP/2 vulnerability CVE-2019-6673 Original Publication Date: 27 Nov, 2019 Security Advisory Description When the BIG-IP system is configured in HTTP/2 full proxy mode, specifically crafted requests may cause a disruption of service provided by the Traffic Management Microkernel (TMM). (CVE-2019-6673) Impact An attacker may be able to use a specifically crafted request to cause a disruption of service. The data plane is impacted and exposed only when a virtual server is configured with an associated HTTP profile, HTTP/2 client and server profile, and the HTTP MRF Router option is enabled (HTTP/2 full proxy mode). Security Advisory Status F5 Product Development has assigned ID 798249 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-----------------+------+----------+----------+-----------+------+-----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable | |Product |Branch|known to |introduced|Severity |score |gcomponent | | | |be |in | | |or feature | | | |vulnerable| | | | | +-----------------+------+----------+----------+-----------+------+-----------+ | |15.x |15.0.0 - |15.0.1.1 | | | | | | |15.0.1 | | | | | | +------+----------+----------+ | | | | |14.x |14.1.0 - |14.1.2.1 | | | | | | |14.1.2 | | | |virtual | |BIG-IP (LTM, AAM,+------+----------+----------+ | |servers | |AFM, APM, ASM, |13.x |None |Not |Low |3.7 |(HTTP MRF | |FPS, Link | | |applicable| | |Router | |Controller, PEM) +------+----------+----------+ | |option) | | |12.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +-----------------+------+----------+----------+-----------+------+-----------+ | |15.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |14.x |None |Not | | | | | | | |applicable| | | | |BIG-IP +------+----------+----------+Not | | | |(Analytics, DNS, |13.x |None |Not |vulnerable |gNone |None | |GTM) | | |applicable|2 | | | | +------+----------+----------+ | | | | |12.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +-----------------+------+----------+----------+-----------+------+-----------+ |Enterprise |3.x |None |Not |Not |None |None | |Manager | | |applicable|vulnerable | | | +-----------------+------+----------+----------+-----------+------+-----------+ | |7.x |None |Not | | | | | | | |applicable| | | | |BIG-IQ +------+----------+----------+ | | | |Centralized |6.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable | | | | +------+----------+----------+ | | | | |5.x |None |Not | | | | | | | |applicable| | | | +-----------------+------+----------+----------+-----------+------+-----------+ |F5 iWorkflow |2.x |None |Not |Not |None |None | | | | |applicable|vulnerable | | | +-----------------+------+----------+----------+-----------+------+-----------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable | | | +-----------------+------+----------+----------+-----------+------+-----------+ ^2The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation To mitigate this vulnerability, you can disable the HTTP MRF Router option for the affected virtual server. To do so, perform the following procedure: Impact of action: The HTTP/2 full proxy mode is disabled for the virtual server. Disabling the HTTP MRF Router option 1. Log in to the Configuration utility. 2. Go to Local Traffic > Virtual Servers > Virtual Server List. 3. Click the name of the affected virtual server. 4. Under Acceleration, clear the HTTP MRF Router check box. 5. Select Update. 6. Repeat the above steps for each virtual server for which the HTTP MRF Router option is enabled. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXkTXE2aOgq3Tt24GAQjI4xAAmCAzivTK4EJRat0ExcR2T6qAat6Nrfw9 74ucWdy81kyGlRvvVQt4E4ScdVvJxu3EQBo4/nDrPI1PuFakyv8EjkZ2omgufJqt udHGxJhzVognQRAs4ThBgQIQjCbxcm5PqF0WnNpmXZGf1R0KxI+put198vM/CH9l xIGnApkO+xOWrponD5mKSALcPJbGzBmOUn5mKO+uITrA7beqNMBL0J/37Kj/u8Pq lgTvGRzUFLHsR1jV7YajKXDJnuyDvwym2yoaT7z/EIH8LGLlZ1V6pZpcmFfuu20X OUk1O2bqADrNsCAM9YpD81xroVs0IYRgSyftWDgsFa3BJk0TKw/DJ1zuB0oq5qok UFm7xlwaNc7LDjDHZswlrpRqeM3qWoNf3HWo3hKp/0JfPTr+iMv+5c77uFpX+0+U ARCvCoMpZLqtKvkIztftQdfC9jyAEU4IEI868MkwMAE7aUd1DUTIYLxvw1KfWxrq f6NEYgD4fGRXLsLAnnz5aMPW42zlI4nGkwbfJxxbZMUGJKbRpa6/bXMhhm9RBe0Y yffdiYLjctmzpJx6ezDWckD78oUgWPykPpmbOo7OCuwLArZLMAgQkfPbr4z8txOp S5RY1yOJwweDnEsUuqd1OdARqKVMExyCd04GpHYqPX6GuaCiQYG22yEq7Ldi0E9h AroUB5aWtd4= =3Z9n -----END PGP SIGNATURE-----