Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2260.7 F5 Products: Multiple vulnerabilities 23 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP BIG-IQ Centralized Management Traffix SDC Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Root Compromise -- Remote/Unauthenticated Access Privileged Data -- Existing Account Overwrite Arbitrary Files -- Existing Account Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-5908 CVE-2020-5907 CVE-2020-5906 CVE-2020-5905 CVE-2020-5904 CVE-2020-5903 CVE-2020-5902 Original Bulletin: https://support.f5.com/csp/article/K22493037 https://support.f5.com/csp/article/K33023560 https://support.f5.com/csp/article/K82518062 https://support.f5.com/csp/article/K43638305 https://support.f5.com/csp/article/K33440533 https://support.f5.com/csp/article/K07051153 https://support.f5.com/csp/article/K52145254 https://support.f5.com/csp/article/K31301245 https://support.f5.com/csp/article/K00091341 Revision History: July 23 2020: K52145254: Vendor updated product table, mitigation and indicators of compromise sections July 20 2020: K52145254: Vendor updated mitigation verification instructions, indications of compromise, and noted that the Viprion B2250 Blade may have problems with the patch July 10 2020: A new mitigation has been developed and published in K52145254 July 9 2020: Updated product tables for K31301245 and K52145254 July 8 2020: K52145254 has been updated - BIG-IP branch 16.x is unaffected by CVE-2020-5902 July 3 2020: Alert on a CVSS10 July 1 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K22493037:The BIG-IP ASM system sends a received XML request with sensitive payload to the ICAP server Security Advisory Original Publication Date: 01 Jul, 2020 Security Advisory Description The BIG-IP ASM system sends a received XML request with sensitive payload to the Internet Content Adaptation Protocol (ICAP) server for inspection, regardless of any other settings. This issue occurs when all of the following conditions are met: o The affected security policy contains an XML profile with at least one element configured to be masked in logs using the Value Masking (BIG-IP 14.0.0 and later) or Sensitive Data Configuration (prior to BIG-IP 14.0.0) feature. o The BIG-IP ASM system is configured to perform ICAP traffic inspection (Anti-Virus Protection). o The XML profile is disabled in the Anti-Virus Protection feature. Note: By default, the default XML profile is disabled. o The BIG-IP ASM system receives an XML payload containing the configured element. Impact The ICAP server receives sensitive XML data. Symptoms As a result of this issue, you may encounter the following symptom: o The ICAP server receives an XML request with the sensitive data unmasked. Security Advisory Status F5 Product Development has assigned ID 858229 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table. +------------------+-----------------+----------------------------------------+ |Type of fix |Fixes introduced |Related articles | | |in | | +------------------+-----------------+----------------------------------------+ |Release |None |None | +------------------+-----------------+----------------------------------------+ | |15.1.0.2* | | |Point release/ |14.1.2.5* |K9502: BIG-IP hotfix and point release | |hotfix |13.1.3.4* |matrix | | |12.1.5.2* | | | |11.6.5.2* | | +------------------+-----------------+----------------------------------------+ *The fixed versions introduce a new internal parameter, send_xml_sensitive_entities_to_icap, to control this behavior; the default value is set to 1 to preserve existing behavior. If you want the BIG-IP ASM system to stop sending XML requests with sensitive data to the ICAP server for inspection, you must change the value of this internal parameter to 0 after upgrading to the fixed versions. For information about configuring this internal parameter, refer to K80391959: Preventing the BIG-IP ASM system from sending XML requests with sensitive data to an ICAP server. Security Advisory Recommended Actions Workaround None Supplemental Information o K51812227: Understanding Security Advisory versioning o K41942608: Overview of AskF5 Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 15.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - - ------------------------------------------------------------------------------ K33440533:The BIG-IP ASM Bot Defense may erroneously subject clients and web servers to Open Redirection attacks Security Advisory Original Publication Date: 01 Jul, 2020 Security Advisory Description The BIG-IP ASM Bot Defense may erroneously subject clients and web servers to Open Redirection attacks. This issue occurs when all of the following conditions are met: o Depending on your BIG-IP ASM version, a virtual server is associated with either: a Bot Defense profile (BIG-IP ASM 14.1.0 and later) or a DoS profile enabled with Proactive Bot Defense (prior to BIG-IP ASM 14.1.0) o The affected virtual server receives a client request with URI similar to the following template: /TSPD/blablatype=1&orig_proto=http&orig_host=<site>&req_cookies=1 For example: /TSPD/blablatype=1&orig_proto=http&orig_host=MY_SITE.com&req_cookies=1 Impact When the Bot Defense-enabled virtual server processes such a request, the Bot Defense feature incorrectly generates a HTTP 307 redirection. As a result, the client experiences an unexpected HTTP redirection which can potentially be used for phishing scam or stealing user credentials. In addition, the site in the client request URI unexpectedly receives the redirected request. Symptoms As a result of this issue, you may encounter one or more of the following symptoms: o The client is redirected to another site unexpectedly. o A site receives redirected request from unexpected sources. Security Advisory Status F5 Product Development has assigned ID 858025 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table. +------------------+-----------------+----------------------------------------+ |Type of fix |Fixes introduced |Related articles | | |in | | +------------------+-----------------+----------------------------------------+ |Release |None |None | +------------------+-----------------+----------------------------------------+ | |15.1.0.2 | | |Point release/ |14.1.2.5 |K9502: BIG-IP hotfix and point release | |hotfix |13.1.3.4 |matrix | | |12.1.5.2 | | | |11.6.5.2 | | +------------------+-----------------+----------------------------------------+ Security Advisory Recommended Actions Workaround To work around this issue, you can block such request using an iRule. In addition, you should ensure that the associated Bot Defense Profile or DoS profile has the Cross Domain Requests setting configured to the value of either Allow all requests or Allow configured domains; validate in bulk. To do so, perform the following procedure: Impact of workaround: The following iRule may not apply to all environments. F5 recommends authoring an iRule that works best for your application environment. Additionally, adding an iRule increases the resources used by the associated virtual server. Depending on the type and volume of the connections, the iRule may introduce noticeable latency. F5 recommends testing any such changes in an appropriate environment. 1. Log in to the BIG-IP ASM Configuration utility. 2. Go to Local Traffic > iRules > iRule List. 3. Select Create. 4. In the Name setting, enter a name for the iRule. For example, K33440533workaround. 5. In the Definition setting, enter an iRule similar to the following example: when HTTP_REQUEST { log local0. "uri is [HTTP::uri]" if { ([HTTP::uri] starts_with "/TSPD/") && ( ([HTTP::uri] contains "orig_host=") || ([HTTP::uri] contains "orig_url_path=") ) } { HTTP::respond 200 content "blocked\n" } } 6. To save the iRule, select Finished. 7. Go to Local Traffic > Virtual Servers > Virtual Server List. 8. Select the affected virtual server. 9. Select the Resources tab. 10. In the iRules section, select Manage. 11. From the Available box, select the iRule you created in Steps 3 through 6. 12. To move the iRule to the Enabled box, select <<. 13. To save the changes, select Finished. 14. Ensure that the associated Bot Defense Profile or DoS profile has the Cross Domain Requests setting configured to the value of either Allow all requests or Allow configured domains; validate in bulk. Depending on your BIG-IP ASM version, perform either of the following sub-procedure: BIG-IP ASM 14.1.0 and later BIG-IP ASM versions prior to 14.1.0 BIG-IP ASM 14.1.0 and later 1. Go to Security > Bot Defense > Bot Defense Profiles. 2. Select the associated Bot Defense profile. 3. Go to Browser Verification tab of the Bot Profile Configuration section. 4. Ensure that the Cross Domain Requests setting is set to either Allow all requests or Allow configured domains; validate in bulk. If you have selected Allow configured domains; validate in bulk, make sure you add the relevant domains to Related Site Domains setting and the Related External Domains setting remains empty. 5. Select Save if you have made any change to the profile. BIG-IP ASM versions prior to 14.1.0 1. Go to Security > DoS Protection > DoS Profiles. 2. Select the associated DoS profile. 3. Select the Application Security tab. 4. Select the Proactive Bot Defense tab. 5. Ensure that the Cross Domain Requests setting is set to either Allow all requests or Allow configured domains; validate in bulk. If you have selected Allow configured domains; validate in bulk, make sure you add the relevant domains to Related Site Domains setting and the Related External Domains setting remains empty. 6. Select Update if you have made any change to the profile. Acknowledgements F5 would like to acknowledge Adam Prasil for bringing this issue to our attention, and for following the highest standards of responsible disclosure. Supplemental Information o K51812227: Understanding Security Advisory versioning o K41942608: Overview of AskF5 Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 15.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents o K42323285: Overview of the unified Bot Defense profile o K00736342: Configuring bot protection - - ------------------------------------------------------------------------------ K43638305:BIG-IP TMUI XSS vulnerability CVE-2020-5903 Security Advisory Original Publication Date: 01 Jul, 2020 Security Advisory Description A Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. (CVE-2020-5903) Impact An attacker can exploit this vulnerability to run JavaScript in the context of the currently logged-in user. In the case of an administrative user with access to the Advanced Shell (bash), successful exploitation of this vulnerability can be leveraged to completely compromise the BIG-IP system through Remote Code Execution. Security Advisory Status F5 Product Development has assigned ID 895881 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +----------------+------+----------+----------+----------+------+-------------+ | | |Versions |Fixes | |CVSSv3|Vulnerable | |Product |Branch|known to |introduced|Severity |score^|component or | | | |be |in | |1 |feature | | | |vulnerable| | | | | +----------------+------+----------+----------+----------+------+-------------+ | |15.x |15.0.0 - |15.1.0.4 | | | | | | |15.1.0 | | | | | | +------+----------+----------+ | | | | |14.x |14.1.0 - |14.1.2.6 | | | | |BIG-IP (LTM, | |14.1.2 | | | | | |AAM, AFM, +------+----------+----------+ | |TMUI/ | |Analytics, APM, |13.x |13.1.0 - |13.1.3.4 |High |7.5 |Configuration| |ASM, DNS, FPS, | |13.1.3 | | | |utility | |GTM, Link +------+----------+----------+ | | | |Controller, PEM)|12.x |12.1.0 - |12.1.5.2 | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +----------------+------+----------+----------+----------+------+-------------+ | |7.x |None |Not | | | | | | | |applicable| | | | |BIG-IQ +------+----------+----------+ | | | |Centralized |6.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+----------+----------+ | | | | |5.x |None |Not | | | | | | | |applicable| | | | +----------------+------+----------+----------+----------+------+-------------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +----------------+------+----------+----------+----------+------+-------------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation To mitigate this vulnerability, you should permit management access to F5 products only over a secure network, and limit shell access to only trusted users. For more information about securing access to BIG-IP and Enterprise Manager systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x - 15.x) and K13092: Overview of securing access to the BIG-IP system. Acknowledgements F5 would like to acknowledge Mikhail Klyuchnikov of Positive Technologies for bringing this issue to our attention and for following the highest standards of coordinated disclosure. Supplemental Information o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 15.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - - ------------------------------------------------------------------------------ K82518062: BIG-IP SCP vulnerability CVE-2020-5906 Security Advisory Original Publication Date: 01 Jul, 2020 Security Advisory Description The BIG-IP system does not properly enforce the access controls for the scp.blacklist files. This allows Admin and Resource Admin users with Secure Copy (SCP) protocol access to read and overwrite blacklisted files via SCP. ( CVE-2020-5906) Impact Authenticated users with access to the SCP utility, which is an OpenSSH tool, but without full file system or Advanced Shell (bash) access, can read and overwrite certain configuration files that are otherwise restricted through SCP. Security Advisory Status F5 Product Development has assigned ID 860477 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |15.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |14.x |None |14.0.0 | | | | |BIG-IP (LTM, AAM, +------+----------+----------+ | |SCP (a | |AFM, Analytics, |13.x |13.1.0 - |13.1.3.4 | | |component | |APM, ASM, DNS, FPS,| |13.1.3 | |Medium |5.4 |of | |GTM, Link +------+----------+----------+ | |OpenSSH) | |Controller, PEM) |12.x |12.1.0 - |12.1.5.2 | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.6.1 - |None | | | | | | |11.6.5 | | | | | +-------------------+------+----------+----------+----------+------+----------+ | |7.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | |BIG-IQ Centralized |6.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+----------+----------+ | | | | |5.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation None Supplemental Information o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 15.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - - ------------------------------------------------------------------------------ K33023560:BIG-IP APM Linux Edge Client logging vulnerability CVE-2020-5908 Security Advisory Original Publication Date: 01 Jul, 2020 Security Advisory Description BIG-IP APM Edge Client for Linux exposes the full session ID in the local log files. (CVE-2020-5908) Impact This vulnerability may allow unauthorized disclosure of the BIG-IP APM session ID and expose sensitive information to the user of the client device. Security Advisory Status F5 Product Development has assigned ID 857669 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |15.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |14.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | |BIG-IP | |BIG-IP (APM) |13.x |None |Not |Low |3.8 |Linux Edge| | | | |applicable| | |Client | | +------+----------+----------+ | |logging | | |12.x |12.1.0 - |12.1.5.1^2| | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.6.1 - |None | | | | | | |11.6.5 | | | | | +-------------------+------+----------+----------+----------+------+----------+ |BIG-IP APM Clients |7.1.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ | |15.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |14.x |None |Not | | | | |BIG-IP (LTM, AAM, | | |applicable| | | | |AFM, Analytics, +------+----------+----------+ | | | |ASM, DNS, FPS, GTM,|13.x |None |Not |Not |None |None | |Link Controller, | | |applicable|vulnerable| | | |PEM) +------+----------+----------+ | | | | |12.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ | |7.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | |BIG-IQ Centralized |6.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+----------+----------+ | | | | |5.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. ^2To find out if the BIG-IP Edge Client version on your client system is affected by this vulnerability, refer to the BIG-IP APM and Edge Client major version table in K13757: BIG-IP Edge Client version matrix. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation None Supplemental Information o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 15.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - - ------------------------------------------------------------------------------- K07051153:TMUI vulnerability CVE-2020-5905 Security Advisory Original Publication Date: 01 Jul, 2020 Security Advisory Description In the BIG-IP Configuration utility Network > WCCP page, the system does not sanitize all user-provided data before displaying the page. (CVE-2020-5905) Impact Authenticated administrative users with access to this page in the Configuration utility may inject code onto the WCCP pages, resulting in a an XSS-style attack against other administrative users who access the pages. Security Advisory Status F5 Product Development has assigned ID 481055 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +----------------+------+----------+----------+----------+------+-------------+ | | |Versions |Fixes | |CVSSv3|Vulnerable | |Product |Branch|known to |introduced|Severity |score^|component or | | | |be |in | |1 |feature | | | |vulnerable| | | | | +----------------+------+----------+----------+----------+------+-------------+ | |15.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | |BIG-IP (LTM, |14.x |None |Not | | | | |AAM, AFM, | | |applicable| | | | |Analytics, APM, +------+----------+----------+ | |Configuration| |ASM, DNS, FPS, |13.x |None |Not |Medium |5.5 |utility | |GTM, Link | | |applicable| | | | |Controller, PEM)+------+----------+----------+ | | | | |12.x |None |12.0.0 | | | | | +------+----------+----------+ | | | | |11.x |11.6.1 - |None | | | | | | |11.6.5 | | | | | +----------------+------+----------+----------+----------+------+-------------+ | |7.x |None |Not | | | | | | | |applicable| | | | |BIG-IQ +------+----------+----------+ | | | |Centralized |6.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+----------+----------+ | | | | |5.x |None |Not | | | | | | | |applicable| | | | +----------------+------+----------+----------+----------+------+-------------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +----------------+------+----------+----------+----------+------+-------------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation None Supplemental Information o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 15.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - - ------------------------------------------------------------------------------ K52145254:TMUI RCE vulnerability CVE-2020-5902 Security Advisory Original Publication Date: 01 Jul, 2020 Latest Publication Date: 23 Jul, 2020 Security Advisory Description The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. (CVE-2020-5902) Impact This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected. Note: All information present on an infiltrated system should be considered compromised. This includes, but is not limited to, logs, configurations, credentials, and digital certificates. Important: If your BIG-IP system has TMUI exposed to the Internet and it does not have a fixed version of software installed, there is a high probability that it has been compromised and you should follow your internal incident response procedures. Refer to the Indicators of compromise section. Security Advisory Status F5 Product Development has assigned IDs 895525, 900757, 895981, and 895993 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +----------------+------+----------+----------+----------+------+-------------+ | | |Versions |Fixes | |CVSSv3|Vulnerable | |Product |Branch|known to |introduced|Severity |score^|component or | | | |be |in | |1 |feature | | | |vulnerable| | | | | +----------------+------+----------+----------+----------+------+-------------+ | |16.x |None |16.0.0 | | | | | +------+----------+----------+ | | | | | |15.1.0 |15.1.0.4^ | | | | | |15.x |15.0.0 - |15.0.1.4 | | | | |BIG-IP (LTM, | |15.0.1 | | | | | |AAM, Advanced +------+----------+----------+ | | | |WAF, AFM, |14.x |14.1.0 - |14.1.2.6 | | | | |Analytics, APM, | |14.1.2 | | | |TMUI/ | |ASM, DDHD, DNS, +------+----------+----------+Critical |10.0 |Configuration| |FPS, GTM, Link |13.x |13.1.0 - |13.1.3.4^+| | |utility | |Controller, PEM,| |13.1.3 | | | | | |SSLO, CGNAT) +------+----------+----------+ | | | | |12.x |12.1.0 - |12.1.5.2 | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.6.1 - |11.6.5.2 | | | | | | |11.6.5 | | | | | +----------------+------+----------+----------+----------+------+-------------+ | |7.x |None |Not | | | | | | | |applicable| | | | |BIG-IQ +------+----------+----------+ | | | |Centralized |6.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+----------+----------+ | | | | |5.x |None |Not | | | | | | | |applicable| | | | +----------------+------+----------+----------+----------+------+-------------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +----------------+------+----------+----------+----------+------+-------------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. ^+An issue has been identified with the VIPRION B2250 blade and 13.1.3.4. Before installing this version on the B2250 blade, review: K02251382: B2250 VIPRION Fails to boot After Upgrade to v13.1.3.4 installed. ^An issue has been identified with some FIPS platforms (5250v-F, 7200v-F, 10200v-F, 10350v-F, i5820-DF, and i7820-DF) and 15.1.0.4. Before installing this version on these platforms, review: K14635126: FIPS platforms fail to load configuration after upgrade to 15.1.0.4. Note: Versions that have reached End of Technical support (EoTS) have not been evaluated but should be assumed vulnerable. For more information, refer to K5903: BIG-IP software support policy. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no update candidate currently exists. If you are using public cloud marketplaces (AWS, Azure, GCP, and Alibaba) to deploy BIG-IP Virtual Edition (VE), F5 recommends that you install the latest releases of BIG-IP versions listed in the Fixes introduced in column, subject to their availability on those marketplaces. See K84554955: Overview of BIG-IP systems software upgrades. Mitigation Important: F5 recommends that you install a fixed software version to fix this vulnerability. If it is not possible to update quickly, you can use the following sections as temporary configuration mitigations until updating is complete: o Restrict Access: Self IPs: addresses unauthenticated and authenticated attackers on self IPs, by blocking all access Management interface: addresses unauthenticated attackers on management interface, by restricting access o TMUI httpd: addresses unauthenticated attackers on all interfaces Command line iControl REST Important: F5 strongly recommends installing fixed versions of the software to address the underlying vulnerability. The risk may be mitigated by restricting access to all TMUI interfaces using the following mitigation steps provided for self IPs and the management interface. Restrict Access Self IPs You can block all access to the Configuration utility of your BIG-IP system using self IPs. To do so, you can change the Port Lockdown setting to Allow None for each self IP in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to the Configuration utility. By default, the Configuration utility listens on TCP port 443; however, beginning in BIG-IP 13.0.0, Single-NIC BIG-IP VE deployments use TCP port 8443. Alternatively, you can configure a custom port. Note: Performing this action prevents all access to the Configuration utility using the self IP. These changes may also impact other services, including breaking HA configurations. Before you make changes to the configuration of your self IPs, F5 strongly recommends that you refer to the following articles: o K17333: Overview of port lockdown behavior (12.x - 16.x) o K13092: Overview of securing access to the BIG-IP system o K31003634: The Configuration utility of the Single-NIC BIG-IP Virtual Edition now defaults to TCP port 8443 o K51358480: The single-NIC BIG-IP VE may erroneously revert to the default management httpd port after a configuration reload Management interface To mitigate this vulnerability for affected F5 products, you should permit management access to F5 products only over a secure network. For more information about securing access to BIG-IP systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x - 16.x) and K13092: Overview of securing access to the BIG-IP system. Note: Until a fixed release is installed, authenticated users accessing the Configuration utility will always be able to exploit this vulnerability. TMUI httpd Important: This section was last updated on July 8, 2020 at 17:00 Pacific time. The mitigation provided below is based on the information available to F5 at this time. It may not be a complete mitigation. However, F5 feels this information is useful to our customers as it mitigates the unauthenticated exploits currently known to us. As F5 becomes aware of any future variants, we will continue to update this article. To prevent unauthenticated attackers from exploiting this vulnerability, add a LocationMatch configuration element to httpd. To do so, perform the following procedure: Note: Authenticated users will still be able to exploit the vulnerability, independent of their privilege level. Impact of workaround: The following mitigation adds an include statement to the httpd properties. If your httpd properties contain an existing include statement (the include statement is something other than the default of none), you need to prepend/append your existing included configuration to the changes, or it will be overwritten. For example, if your existing include statement is: include "FileETag MTime Size" Then you can append the LocationMatch statement in the mitigation to the existing configuration as follows: include 'FileETag MTime Size <LocationMatch ";"> Redirect 404 / </LocationMatch> <LocationMatch "hsqldb"> Redirect 404 / </LocationMatch> ' You can perform the mitigation locally using the command line or remotely using the iControl REST interface. Command line 1. Log in to the TMOS Shell (tmsh) by entering the following command: tmsh 2. Edit the httpd properties by entering the following command: edit /sys httpd all-properties Note: Running this command puts you into the vi editor. 3. Locate the line that starts with include none and replace it with the following: include ' <LocationMatch ";"> Redirect 404 / </LocationMatch> <LocationMatch "hsqldb"> Redirect 404 / </LocationMatch> ' 4. Write and save the changes to the configuration file by entering the following vi commands: Esc :wq! 5. When further prompted to Save Changes (y/n/e), enter y. 6. Save the configuration by entering the following tmsh command: save /sys config 7. To activate the mitigation, restart the httpd service by entering the following command: restart sys service httpd 8. To exit tmsh, enter the following command: quit 9. Ensure that the workaround is inserted in the configuration by comparing the output of the following command to the configured LocationMatch fragment that you inserted in step 3. To do so, enter the following command: grep -C1 'Redirect 404' /etc/httpd/conf/httpd.conf The output should match the following: <LocationMatch ";"> Redirect 404 / </LocationMatch> <LocationMatch "hsqldb"> Redirect 404 / </LocationMatch> Note: You may disregard any leading white spaces. 10. If you have a high availability (HA) configuration, you may now perform a ConfigSync operation as documented in K14856: Performing a ConfigSync using tmsh. No restart of httpd on the peer system should be required after syncing. Confirm the mitigation is working using the following instructions. iControl REST # Patch the httpd configuration curl -ku admin:[password] https://[IP Address]/mgmt/tm/sys/httpd -H content-type:application/json -X PATCH -d '{"include":"\n <LocationMatch \\\";\ \\">\n Redirect 404 /\n </LocationMatch>\n <LocationMatch \\\"hsqldb\\\">\n Redirect 404 /\n </LocationMatch>\n "}' | jq . # Save the system config curl -ku admin:[password] https://[IP Address]/mgmt/tm/sys/config -H "Content-Type: application/json" -X POST -d '{"command":"save"}' | jq . # Verify the configuration curl -ku admin:[password] https://[IP Address]/mgmt/tm/sys/httpd -H "Content-Type: application/json" -X GET | jq . If you have an HA configuration, you may also synchronize these changes with the peers: curl -ku admin:[password] https://[IP Address]/mgmt/tm/cm -H "Content-Type: application/json" -X POST -d '{"command":"run","utilCmdArgs":"config-sync to-group [Device Group Name]"}' | jq . No restart of httpd on the peer should be required after syncing. Confirm the mitigation is working using the following instructions. Note: Running REST commands in rapid succession may cause issues. F5 advises that you allow time for completion between commands. Note: This mitigation previously included a step to restart httpd. It has been determined that the restart is not required when using REST. Furthermore, the restart command may cause issues with httpd. See K13292945: httpd failing to start after restarting the service using the iControl REST API. Note: F5 is aware of customers attempting to mitigate using tmsh modify sys httpd allow instead of the recommended mitigation above. This has not been an effective mitigation and devices using this have been compromised. Verifying the mitigation You can verify that the mitigation is working by using the following URL syntax: o https://[IP ADDRESS]/tmui/login.jsp/..;/login.jsp o https://[IP ADDRESS]/hsqldb%0a Before applying the mitigation, the pages load. After the mitigation, you receive 404 responses. Indicators of compromise Important: This section was last updated on July 20, 2020 at 20:00 Pacific time. This information is based on the evidence F5 has seen on compromised devices, which we feel are reliable indicators. It is important to note that not all exploited systems may show the same indicators, and, indeed, a skilled attacker may be able to remove traces of their work. It is not possible to prove a device has not been compromised; when there is any uncertainty, you should consider the device compromised. All versions F5 iHealth is updated with heuristics which flag indicators of compromise in uploaded QKView diagnostic files. Refer to K27404821: Using F5 iHealth to diagnose vulnerabilities for more information on using F5 iHealth. Through the DevCentral GitHub, F5 has also released the CVE-2020-5902 IoC Detection Tool . This is a Python script designed to run on the command line to locally identify indicators of compromise. If you are unable to use the CVE-2020-5902 IoC Detection Tool, you may also perform some of the following checks manually: o Look for the creation of aliases for the Advanced Shell (bash); the presence of an alias is a strong indicator of a potential compromise. To do so, run the following command: awk '/^cli.alias/,/^}/' /config/bigip_*.conf You may observe results similar to the following: cli alias private list { command bash user root } If you see results similar to this, it is a possible indicator of compromise. You should determine if the result is legitimate for your configuration. o Check for user 'systems' in /config/bigip_user.conf and /etc/passwd; several exploits have created this non-standard user. To do so, run the following commands: awk '/systems/' /config/bigip_user.conf grep -i 'systems' /etc/passwd o Examine /var/log/audit for common patterns seen with exploits. To do so, run the following command: zgrep -e "create cli alias" -e "run /util bash /tmp" -e "list auth user admin" -e "_alias" -e "create auth user" -e "load user credentials for user" /var/log/audit* You may see a result similar to the following: Jul 14 12:59:57 [REDACTED] notice tmsh[13316]: 01420002:5: AUDIT - pid= 13316 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data= create cli alias private list command bash If this command returns a similar result, it may be a possible indicator of compromise. You need to examine the results to determine if you can account for them due to legitimate activity. o Check for files created in /usr/local/www/ since the CVE announcement. It is common for exploit scripts to create files in this directory. If you find any files, determine if they can be accounted for from legitimate activity. If not, this is a strong indicator of compromise. To check files, run the following command: touch -t 202006290100 /tmp/kbtime; find /usr/local/www/ -type f -newer /tmp /kbtime -ls; Additionally, refer to the following articles: o K60058401: URI logging with HTTPD to audit requests sent to TMUI / GUI o K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system for an overview Versions prior to BIG-IP 14.1.0 In versions earlier than BIG-IP 14.1.0, with the default configuration, you can examine /var/log/audit and /var/log/ltm as follows. There is no supported mechanism to expose additional log entries. To examine the logs, use the following command: zgrep '%tmui' /var/log/audit* /var/log/ltm* Log entries similar to the following are indicators of possible compromise: audit.1:Jul 6 15:33:38 [REDACTED] notice tmsh[27903]: 01420002:5: AUDIT - Cannot load user credentials for user "%tmui" Current session has been terminated. ltm.1:Jul 6 15:33:38 [REDACTED] notice tmsh[27903]: 01420003:5: Cannot load user credentials for user "%tmui" Current session has been terminated. BIG-IP 14.1.0 and later In BIG-IP 14.1.0 and later, you can examine the output of journalctl for evidence of attempts to exploit this vulnerability by entering the following command in bash: journalctl /bin/logger | grep -F ';' The command output may appear similar to the following example on a device where compromise was attempted; note that some elements are redacted (normally the complete URL is visible, along with the IP address that sent the request): Jul 06 12:59:01 hostname logger[29929]: [ssl_acc] nnn.nnn.nnn.nnn - - [06/Jul/ 2020:12:59:01 +0000] "/[REDACTED]/..;/[REDACTED]" 200 252 If any log entries are shown, this may be an indicator of an attempt to compromise the BIG-IP system. Take specific note of the second to last value in the line, in this case 200; the HTTP Response Code. A 200 indicates that the request was successful, which is a strong indicator of a successful exploit. A 404 response code means the requested item was not found. This may be a sign of an attempted compromise or a scanner being run against the device. You may also see 404 requests logged on devices using mitigation or which are running fixed software. The requests are still being made, but they are unsuccessful. Note: Journal log entries are rotating and limited to ~20 MB and therefore may contain limited historical information. Note: These log entries are only created by unauthenticated attacks. Authenticated attackers do not leave this record behind. Other indicators of compromise may include unexpected modifications to any files, configurations, or running processes. F5 has iHealth heuristics designed to detect unknown processes running (Heuristic H511618) and also heuristics designed to detect when the Configuration utility has been exposed to the Internet through the management interface (H444724) or when a self IP address has Port Lockdown set to Allow All (H458565). Note: Lack of log entries or heuristic reports do not categorically indicate that a unit has not been compromised. A skilled attacker can remove evidence of compromise, including log files, following successful exploitation. Acknowledgements F5 would like to acknowledge Mikhail Klyuchnikov of Positive Technologies for bringing this issue to our attention and for following the highest standards of coordinated disclosure. F5 would like to acknowledge Rich Mirch, Senior Adversarial Engineer, and Chase Dardaman, Senior Adversarial Engineer, from TeamARES of Critical Start, Inc. for bringing an issue with the original mitigation to our attention and for following the highest standards of coordinated disclosure. Supplemental Information o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K84554955: Overview of BIG-IP systems software upgrades o K13123: Managing BIG-IP product hotfixes (11.x - 16.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents o K46122561: Restricting access to the management port using network firewall rules o K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system o DevCentral: Traffic Management User Interface Vulnerability: How to mitigate - - ------------------------------------------------------------------------------ K31301245:TMUI CSRF vulnerability CVE-2020-5904 Security Advisory Original Publication Date: 01 Jul, 2020 Latest Publication Date: 08 Jul, 2020 Security Advisory Description A cross-site request forgery (CSRF) vulnerability in the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, exists in an undisclosed page. (CVE-2020-5904) Impact An attacker may be able to use the session of an administrator user to execute TMOS Shell (tmsh) commands on the BIG-IP system. This vulnerability affects only the control plane, and an administrator user must be logged in for the exploit to be possible. Security Advisory Status F5 Product Development has assigned ID 905905 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +----------------+------+----------+----------+----------+------+-------------+ | | |Versions |Fixes | |CVSSv3|Vulnerable | |Product |Branch|known to |introduced|Severity |score^|component or | | | |be |in | |1 |feature | | | |vulnerable| | | | | +----------------+------+----------+----------+----------+------+-------------+ | |16.x |None |16.0.0 | | | | | +------+----------+----------+ | | | | |15.x |15.0.0 - |15.1.0.4 | | | | | | |15.1.0 | | | | | | +------+----------+----------+ | | | |BIG-IP (LTM, |14.x |14.1.0 - |14.1.2.6 | | | | |AAM, AFM, | |14.1.2 | | | | | |Analytics, APM, +------+----------+----------+High |8.8 |Configuration| |ASM, DNS, FPS, |13.x |13.1.0 - |13.1.3.4 | | |utility | |GTM, Link | |13.1.3 | | | | | |Controller, PEM)+------+----------+----------+ | | | | |12.x |12.1.0 - |12.1.5.2 | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +----------------+------+----------+----------+----------+------+-------------+ | |7.x |None |Not | | | | | | | |applicable| | | | |BIG-IQ +------+----------+----------+ | | | |Centralized |6.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+----------+----------+ | | | | |5.x |None |Not | | | | | | | |applicable| | | | +----------------+------+----------+----------+----------+------+-------------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +----------------+------+----------+----------+----------+------+-------------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation To mitigate this vulnerability for affected F5 products, you should only permit management access to F5 products over a secure network and limit shell access to trusted users. For more information about securing access to BIG-IP systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x - 15.x) and K13092: Overview of securing access to the BIG-IP system. Supplemental Information o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 15.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - - ------------------------------------------------------------------------------ K00091341:TMOS Shell privilege escalation vulnerability CVE-2020-5907 Security Advisory Original Publication Date: 01 Jul, 2020 Security Advisory Description An authorized user provided with access only to the TMOS Shell (tmsh) may be able to conduct arbitrary file read/writes via the built-in sftp functionality. (CVE-2020-5907) Impact A malicious actor who has gained access to a restricted account with tmsh access (for example, a user who has Terminal Access set to tmsh and not Advanced shell) may be able to read or write to arbitrary files on the file system using the built-in sftp functionality and use that access to construct a privilege escalation attack in order to gain root access to the BIG-IP system. Security Advisory Status F5 Product Development has assigned ID 859089 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |15.x |15.0.0 - |15.1.0.4 | | | | | | |15.1.0 | | | | | | +------+----------+----------+ | | | | |14.x |14.1.0 - |14.1.2.4 | | | | |BIG-IP (LTM, AAM, | |14.1.2 | | | | | |AFM, Analytics, +------+----------+----------+ | | | |APM, ASM, DNS, FPS,|13.x |13.1.0 - |13.1.3.4 |Medium |6.6 |tmsh | |GTM, Link | |13.1.3 | | | | | |Controller, PEM) +------+----------+----------+ | | | | |12.x |12.1.0 - |12.1.5.2 | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.5.2 - |11.6.5.2 | | | | | | |11.6.5 | | | | | +-------------------+------+----------+----------+----------+------+----------+ | |7.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | |BIG-IQ Centralized |6.x |None |Not |Not |None |None | |Management | | |applicable|vulnerable| | | | +------+----------+----------+ | | | | |5.x |None |Not | | | | | | | |applicable| | | | +-------------------+------+----------+----------+----------+------+----------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation To mitigate this vulnerability, you should permit connectivity access to the affected F5 products only over a secure network and restrict access for the affected systems to only trusted users. For more information, refer to the following articles: o K13309: Restricting access to the Configuration utility by source IP address (11.x - 15.x) o K13092: Overview of securing access to the BIG-IP system Additionally, you can mitigate this vulnerability by enabling Appliance mode for vulnerable BIG-IP versions. Appliance mode limits the BIG-IP system administrative access to match that of a typical network appliance and prohibits use of utilities such as sftp. Impact of action: Appliance mode is designed to meet the needs of customers in especially sensitive sectors by limiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device. For information about Appliance mode, refer to the following article: o K12815: Overview of Appliance mode Acknowledgements F5 would like to acknowledge Lukasz Mikula of Afine for bringing this issue to our attention and for following the highest standards of coordinated disclosure. Supplemental Information o K51812227: Understanding Security Advisory versioning o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXxkrBeNLKJtyKPYoAQi8vA/+JoMekEbymgSus1i0eafmTKujPJGD1oB1 e+vqLVGhSx2xW1ci/G+2uUrehDJV5mKUrF+Dj/FHnN8UIxn6E4iebrKQrrxFm2rf 3cktPnFJMRjq4a9Bt0TdS5/xqSGBd86OTdfc3Ao8SdlJVS8zne/5mdyqVrzTjPBn gh9UZh8TFcgfoxHGHZKaf+PLwpPQNUklxca9PSmQF4SE8IqY87KzUKHyVZ9mlR7m TRDpwuGSMAqPs4yZ+KvxaxFwRVUv/xjKrqntKuRp2YEPfjpBdyobcmiZQBoeky+W qqX7VmJtjff1ZshMY1SZUsP+2fIgwK0YA4/AgY31Pd9Dh3OGhw0L6p0k4WD1rKkM l4bpkknQj+GZicTdBeTmccWAV+NLUTtml4/X79WQ/UTKV3YP7JmLoSZ1xpekRrzz cEjfKNmygfLKerlWQEzJB/tIlXX7yp2cviae0kp2AeDR69jzxP2qPpIf1C3NIZ+/ ivoZ5CmBtwUpkBsaRPERnp6TvaOLWQ/2sgbv2aqOub4V0jsCDT9OO8gjbQJ4waru r5w5VBK/G7HaQnIqJ4dw20e+f8cbjxXmeSunt+aiWOMD9Q3UruDFIVTawm9mWkI2 mh3B22MonLCwcIgowIUL1lMl0GrSuMzicm7pNHAS7VAio1QJ9L2KVpxhwujMcz3p GT179ozc070= =FtjE -----END PGP SIGNATURE-----