Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2260.7
F5 Products: Multiple vulnerabilities
23 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP
BIG-IQ Centralized Management
Traffix SDC
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Root Compromise -- Remote/Unauthenticated
Access Privileged Data -- Existing Account
Overwrite Arbitrary Files -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-5908 CVE-2020-5907 CVE-2020-5906
CVE-2020-5905 CVE-2020-5904 CVE-2020-5903
CVE-2020-5902
Original Bulletin:
https://support.f5.com/csp/article/K22493037
https://support.f5.com/csp/article/K33023560
https://support.f5.com/csp/article/K82518062
https://support.f5.com/csp/article/K43638305
https://support.f5.com/csp/article/K33440533
https://support.f5.com/csp/article/K07051153
https://support.f5.com/csp/article/K52145254
https://support.f5.com/csp/article/K31301245
https://support.f5.com/csp/article/K00091341
Revision History: July 23 2020: K52145254: Vendor updated product table, mitigation
and indicators of compromise sections
July 20 2020: K52145254: Vendor updated mitigation verification
instructions, indications of compromise, and noted
that the Viprion B2250 Blade may have problems with the patch
July 10 2020: A new mitigation has been developed and published in K52145254
July 9 2020: Updated product tables for K31301245 and K52145254
July 8 2020: K52145254 has been updated - BIG-IP branch 16.x is
unaffected by CVE-2020-5902
July 3 2020: Alert on a CVSS10
July 1 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
K22493037:The BIG-IP ASM system sends a received XML request with sensitive
payload to the ICAP server
Security Advisory
Original Publication Date: 01 Jul, 2020
Security Advisory Description
The BIG-IP ASM system sends a received XML request with sensitive payload to
the Internet Content Adaptation Protocol (ICAP) server for inspection,
regardless of any other settings.
This issue occurs when all of the following conditions are met:
o The affected security policy contains an XML profile with at least one
element configured to be masked in logs using the Value Masking (BIG-IP
14.0.0 and later) or Sensitive Data Configuration (prior to BIG-IP 14.0.0)
feature.
o The BIG-IP ASM system is configured to perform ICAP traffic inspection
(Anti-Virus Protection).
o The XML profile is disabled in the Anti-Virus Protection feature.
Note: By default, the default XML profile is disabled.
o The BIG-IP ASM system receives an XML payload containing the configured
element.
Impact
The ICAP server receives sensitive XML data.
Symptoms
As a result of this issue, you may encounter the following symptom:
o The ICAP server receives an XML request with the sensitive data unmasked.
Security Advisory Status
F5 Product Development has assigned ID 858229 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+-----------------+----------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+-----------------+----------------------------------------+
|Release |None |None |
+------------------+-----------------+----------------------------------------+
| |15.1.0.2* | |
|Point release/ |14.1.2.5* |K9502: BIG-IP hotfix and point release |
|hotfix |13.1.3.4* |matrix |
| |12.1.5.2* | |
| |11.6.5.2* | |
+------------------+-----------------+----------------------------------------+
*The fixed versions introduce a new internal parameter,
send_xml_sensitive_entities_to_icap, to control this behavior; the default
value is set to 1 to preserve existing behavior. If you want the BIG-IP ASM
system to stop sending XML requests with sensitive data to the ICAP server for
inspection, you must change the value of this internal parameter to 0 after
upgrading to the fixed versions. For information about configuring this
internal parameter, refer to K80391959: Preventing the BIG-IP ASM system from
sending XML requests with sensitive data to an ICAP server.
Security Advisory Recommended Actions
Workaround
None
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of AskF5 Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- - ------------------------------------------------------------------------------
K33440533:The BIG-IP ASM Bot Defense may erroneously subject clients and web
servers to Open Redirection attacks
Security Advisory
Original Publication Date: 01 Jul, 2020
Security Advisory Description
The BIG-IP ASM Bot Defense may erroneously subject clients and web servers to
Open Redirection attacks. This issue occurs when all of the following
conditions are met:
o Depending on your BIG-IP ASM version, a virtual server is associated with
either:
a Bot Defense profile (BIG-IP ASM 14.1.0 and later) or
a DoS profile enabled with Proactive Bot Defense (prior to BIG-IP ASM
14.1.0)
o The affected virtual server receives a client request with URI similar to
the following template:
/TSPD/blablatype=1&orig_proto=http&orig_host=<site>&req_cookies=1
For example:
/TSPD/blablatype=1&orig_proto=http&orig_host=MY_SITE.com&req_cookies=1
Impact
When the Bot Defense-enabled virtual server processes such a request, the Bot
Defense feature incorrectly generates a HTTP 307 redirection. As a result, the
client experiences an unexpected HTTP redirection which can potentially be
used for phishing scam or stealing user credentials. In addition, the site in
the client request URI unexpectedly receives the redirected request.
Symptoms
As a result of this issue, you may encounter one or more of the following
symptoms:
o The client is redirected to another site unexpectedly.
o A site receives redirected request from unexpected sources.
Security Advisory Status
F5 Product Development has assigned ID 858025 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+-----------------+----------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+-----------------+----------------------------------------+
|Release |None |None |
+------------------+-----------------+----------------------------------------+
| |15.1.0.2 | |
|Point release/ |14.1.2.5 |K9502: BIG-IP hotfix and point release |
|hotfix |13.1.3.4 |matrix |
| |12.1.5.2 | |
| |11.6.5.2 | |
+------------------+-----------------+----------------------------------------+
Security Advisory Recommended Actions
Workaround
To work around this issue, you can block such request using an iRule. In
addition, you should ensure that the associated Bot Defense Profile or DoS
profile has the Cross Domain Requests setting configured to the value of either
Allow all requests or Allow configured domains; validate in bulk. To do so,
perform the following procedure:
Impact of workaround: The following iRule may not apply to all environments. F5
recommends authoring an iRule that works best for your application environment.
Additionally, adding an iRule increases the resources used by the associated
virtual server. Depending on the type and volume of the connections, the iRule
may introduce noticeable latency. F5 recommends testing any such changes in an
appropriate environment.
1. Log in to the BIG-IP ASM Configuration utility.
2. Go to Local Traffic > iRules > iRule List.
3. Select Create.
4. In the Name setting, enter a name for the iRule. For example,
K33440533workaround.
5. In the Definition setting, enter an iRule similar to the following
example:
when HTTP_REQUEST {
log local0. "uri is [HTTP::uri]"
if { ([HTTP::uri] starts_with "/TSPD/") &&
( ([HTTP::uri] contains "orig_host=") || ([HTTP::uri] contains
"orig_url_path=") ) }
{
HTTP::respond 200 content "blocked\n"
}
}
6. To save the iRule, select Finished.
7. Go to Local Traffic > Virtual Servers > Virtual Server List.
8. Select the affected virtual server.
9. Select the Resources tab.
10. In the iRules section, select Manage.
11. From the Available box, select the iRule you created in Steps 3 through 6.
12. To move the iRule to the Enabled box, select <<.
13. To save the changes, select Finished.
14. Ensure that the associated Bot Defense Profile or DoS profile has the Cross
Domain Requests setting configured to the value of either Allow all
requests or Allow configured domains; validate in bulk. Depending on your
BIG-IP ASM version, perform either of the following sub-procedure:
BIG-IP ASM 14.1.0 and later
BIG-IP ASM versions prior to 14.1.0
BIG-IP ASM 14.1.0 and later
1. Go to Security > Bot Defense > Bot Defense Profiles.
2. Select the associated Bot Defense profile.
3. Go to Browser Verification tab of the Bot Profile Configuration
section.
4. Ensure that the Cross Domain Requests setting is set to either
Allow all requests or Allow configured domains; validate in bulk.
If you have selected Allow configured domains; validate in bulk,
make sure you add the relevant domains to Related Site Domains
setting and the Related External Domains setting remains empty.
5. Select Save if you have made any change to the profile.
BIG-IP ASM versions prior to 14.1.0
1. Go to Security > DoS Protection > DoS Profiles.
2. Select the associated DoS profile.
3. Select the Application Security tab.
4. Select the Proactive Bot Defense tab.
5. Ensure that the Cross Domain Requests setting is set to either
Allow all requests or Allow configured domains; validate in bulk.
If you have selected Allow configured domains; validate in bulk,
make sure you add the relevant domains to Related Site Domains
setting and the Related External Domains setting remains empty.
6. Select Update if you have made any change to the profile.
Acknowledgements
F5 would like to acknowledge Adam Prasil for bringing this issue to our
attention, and for following the highest standards of responsible disclosure.
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of AskF5 Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K42323285: Overview of the unified Bot Defense profile
o K00736342: Configuring bot protection
- - ------------------------------------------------------------------------------
K43638305:BIG-IP TMUI XSS vulnerability CVE-2020-5903
Security Advisory
Original Publication Date: 01 Jul, 2020
Security Advisory Description
A Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the
BIG-IP Configuration utility. (CVE-2020-5903)
Impact
An attacker can exploit this vulnerability to run JavaScript in the context of
the currently logged-in user. In the case of an administrative user with access
to the Advanced Shell (bash), successful exploitation of this vulnerability can
be leveraged to completely compromise the BIG-IP system through Remote Code
Execution.
Security Advisory Status
F5 Product Development has assigned ID 895881 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+----------------+------+----------+----------+----------+------+-------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to |introduced|Severity |score^|component or |
| | |be |in | |1 |feature |
| | |vulnerable| | | | |
+----------------+------+----------+----------+----------+------+-------------+
| |15.x |15.0.0 - |15.1.0.4 | | | |
| | |15.1.0 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |14.1.2.6 | | | |
|BIG-IP (LTM, | |14.1.2 | | | | |
|AAM, AFM, +------+----------+----------+ | |TMUI/ |
|Analytics, APM, |13.x |13.1.0 - |13.1.3.4 |High |7.5 |Configuration|
|ASM, DNS, FPS, | |13.1.3 | | | |utility |
|GTM, Link +------+----------+----------+ | | |
|Controller, PEM)|12.x |12.1.0 - |12.1.5.2 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+----------------+------+----------+----------+----------+------+-------------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IQ +------+----------+----------+ | | |
|Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+----------------+------+----------+----------+----------+------+-------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+----------------+------+----------+----------+----------+------+-------------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, you should permit management access to F5
products only over a secure network, and limit shell access to only trusted
users. For more information about securing access to BIG-IP and Enterprise
Manager systems, refer to K13309: Restricting access to the Configuration
utility by source IP address (11.x - 15.x) and K13092: Overview of securing
access to the BIG-IP system.
Acknowledgements
F5 would like to acknowledge Mikhail Klyuchnikov of Positive Technologies for
bringing this issue to our attention and for following the highest standards of
coordinated disclosure.
Supplemental Information
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- - ------------------------------------------------------------------------------
K82518062: BIG-IP SCP vulnerability CVE-2020-5906
Security Advisory
Original Publication Date: 01 Jul, 2020
Security Advisory Description
The BIG-IP system does not properly enforce the access controls for the
scp.blacklist files. This allows Admin and Resource Admin users with Secure
Copy (SCP) protocol access to read and overwrite blacklisted files via SCP. (
CVE-2020-5906)
Impact
Authenticated users with access to the SCP utility, which is an OpenSSH tool,
but without full file system or Advanced Shell (bash) access, can read and
overwrite certain configuration files that are otherwise restricted through
SCP.
Security Advisory Status
F5 Product Development has assigned ID 860477 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |14.x |None |14.0.0 | | | |
|BIG-IP (LTM, AAM, +------+----------+----------+ | |SCP (a |
|AFM, Analytics, |13.x |13.1.0 - |13.1.3.4 | | |component |
|APM, ASM, DNS, FPS,| |13.1.3 | |Medium |5.4 |of |
|GTM, Link +------+----------+----------+ | |OpenSSH) |
|Controller, PEM) |12.x |12.1.0 - |12.1.5.2 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |None | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- - ------------------------------------------------------------------------------
K33023560:BIG-IP APM Linux Edge Client logging vulnerability CVE-2020-5908
Security Advisory
Original Publication Date: 01 Jul, 2020
Security Advisory Description
BIG-IP APM Edge Client for Linux exposes the full session ID in the local log
files. (CVE-2020-5908)
Impact
This vulnerability may allow unauthorized disclosure of the BIG-IP APM session
ID and expose sensitive information to the user of the client device.
Security Advisory Status
F5 Product Development has assigned ID 857669 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |14.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | |BIG-IP |
|BIG-IP (APM) |13.x |None |Not |Low |3.8 |Linux Edge|
| | | |applicable| | |Client |
| +------+----------+----------+ | |logging |
| |12.x |12.1.0 - |12.1.5.1^2| | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |None | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
|BIG-IP APM Clients |7.1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |14.x |None |Not | | | |
|BIG-IP (LTM, AAM, | | |applicable| | | |
|AFM, Analytics, +------+----------+----------+ | | |
|ASM, DNS, FPS, GTM,|13.x |None |Not |Not |None |None |
|Link Controller, | | |applicable|vulnerable| | |
|PEM) +------+----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
^2To find out if the BIG-IP Edge Client version on your client system is
affected by this vulnerability, refer to the BIG-IP APM and Edge Client major
version table in K13757: BIG-IP Edge Client version matrix.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- - -------------------------------------------------------------------------------
K07051153:TMUI vulnerability CVE-2020-5905
Security Advisory
Original Publication Date: 01 Jul, 2020
Security Advisory Description
In the BIG-IP Configuration utility Network > WCCP page, the system does not
sanitize all user-provided data before displaying the page. (CVE-2020-5905)
Impact
Authenticated administrative users with access to this page in the
Configuration utility may inject code onto the WCCP pages, resulting in a an
XSS-style attack against other administrative users who access the pages.
Security Advisory Status
F5 Product Development has assigned ID 481055 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+----------------+------+----------+----------+----------+------+-------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to |introduced|Severity |score^|component or |
| | |be |in | |1 |feature |
| | |vulnerable| | | | |
+----------------+------+----------+----------+----------+------+-------------+
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IP (LTM, |14.x |None |Not | | | |
|AAM, AFM, | | |applicable| | | |
|Analytics, APM, +------+----------+----------+ | |Configuration|
|ASM, DNS, FPS, |13.x |None |Not |Medium |5.5 |utility |
|GTM, Link | | |applicable| | | |
|Controller, PEM)+------+----------+----------+ | | |
| |12.x |None |12.0.0 | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |None | | | |
| | |11.6.5 | | | | |
+----------------+------+----------+----------+----------+------+-------------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IQ +------+----------+----------+ | | |
|Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+----------------+------+----------+----------+----------+------+-------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+----------------+------+----------+----------+----------+------+-------------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- - ------------------------------------------------------------------------------
K52145254:TMUI RCE vulnerability CVE-2020-5902
Security Advisory
Original Publication Date: 01 Jul, 2020
Latest Publication Date: 23 Jul, 2020
Security Advisory Description
The Traffic Management User Interface (TMUI), also referred to as the
Configuration utility, has a Remote Code Execution (RCE) vulnerability in
undisclosed pages. (CVE-2020-5902)
Impact
This vulnerability allows for unauthenticated attackers, or authenticated
users, with network access to the Configuration utility, through the BIG-IP
management port and/or self IPs, to execute arbitrary system commands, create
or delete files, disable services, and/or execute arbitrary Java code. This
vulnerability may result in complete system compromise. The BIG-IP system in
Appliance mode is also vulnerable. This issue is not exposed on the data plane;
only the control plane is affected.
Note: All information present on an infiltrated system should be considered
compromised. This includes, but is not limited to, logs, configurations,
credentials, and digital certificates.
Important: If your BIG-IP system has TMUI exposed to the Internet and it does
not have a fixed version of software installed, there is a high probability
that it has been compromised and you should follow your internal incident
response procedures. Refer to the Indicators of compromise section.
Security Advisory Status
F5 Product Development has assigned IDs 895525, 900757, 895981, and 895993
(BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+----------------+------+----------+----------+----------+------+-------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to |introduced|Severity |score^|component or |
| | |be |in | |1 |feature |
| | |vulnerable| | | | |
+----------------+------+----------+----------+----------+------+-------------+
| |16.x |None |16.0.0 | | | |
| +------+----------+----------+ | | |
| | |15.1.0 |15.1.0.4^ | | | |
| |15.x |15.0.0 - |15.0.1.4 | | | |
|BIG-IP (LTM, | |15.0.1 | | | | |
|AAM, Advanced +------+----------+----------+ | | |
|WAF, AFM, |14.x |14.1.0 - |14.1.2.6 | | | |
|Analytics, APM, | |14.1.2 | | | |TMUI/ |
|ASM, DDHD, DNS, +------+----------+----------+Critical |10.0 |Configuration|
|FPS, GTM, Link |13.x |13.1.0 - |13.1.3.4^+| | |utility |
|Controller, PEM,| |13.1.3 | | | | |
|SSLO, CGNAT) +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.2 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |11.6.5.2 | | | |
| | |11.6.5 | | | | |
+----------------+------+----------+----------+----------+------+-------------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IQ +------+----------+----------+ | | |
|Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+----------------+------+----------+----------+----------+------+-------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+----------------+------+----------+----------+----------+------+-------------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
^+An issue has been identified with the VIPRION B2250 blade and 13.1.3.4.
Before installing this version on the B2250 blade, review: K02251382: B2250
VIPRION Fails to boot After Upgrade to v13.1.3.4 installed.
^An issue has been identified with some FIPS platforms (5250v-F, 7200v-F,
10200v-F, 10350v-F, i5820-DF, and i7820-DF) and 15.1.0.4. Before installing
this version on these platforms, review: K14635126: FIPS platforms fail to load
configuration after upgrade to 15.1.0.4.
Note: Versions that have reached End of Technical support (EoTS) have not been
evaluated but should be assumed vulnerable. For more information, refer to
K5903: BIG-IP software support policy.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by installing a version listed in
the Fixes introduced in column. If the table lists only an older version than
what you are currently running, or does not list a non-vulnerable version, then
no update candidate currently exists.
If you are using public cloud marketplaces (AWS, Azure, GCP, and Alibaba) to
deploy BIG-IP Virtual Edition (VE), F5 recommends that you install the latest
releases of BIG-IP versions listed in the Fixes introduced in column, subject
to their availability on those marketplaces. See K84554955: Overview of BIG-IP
systems software upgrades.
Mitigation
Important: F5 recommends that you install a fixed software version to fix this
vulnerability.
If it is not possible to update quickly, you can use the following sections as
temporary configuration mitigations until updating is complete:
o Restrict Access:
Self IPs: addresses unauthenticated and authenticated attackers on self
IPs, by blocking all access
Management interface: addresses unauthenticated attackers on management
interface, by restricting access
o TMUI httpd: addresses unauthenticated attackers on all interfaces
Command line
iControl REST
Important: F5 strongly recommends installing fixed versions of the software to
address the underlying vulnerability. The risk may be mitigated by restricting
access to all TMUI interfaces using the following mitigation steps provided for
self IPs and the management interface.
Restrict Access
Self IPs
You can block all access to the Configuration utility of your BIG-IP system
using self IPs. To do so, you can change the Port Lockdown setting to Allow
None for each self IP in the system. If you must open any ports, you should use
the Allow Custom option, taking care to disallow access to the Configuration
utility. By default, the Configuration utility listens on TCP port 443;
however, beginning in BIG-IP 13.0.0, Single-NIC BIG-IP VE deployments use TCP
port 8443. Alternatively, you can configure a custom port.
Note: Performing this action prevents all access to the Configuration utility
using the self IP. These changes may also impact other services, including
breaking HA configurations.
Before you make changes to the configuration of your self IPs, F5 strongly
recommends that you refer to the following articles:
o K17333: Overview of port lockdown behavior (12.x - 16.x)
o K13092: Overview of securing access to the BIG-IP system
o K31003634: The Configuration utility of the Single-NIC BIG-IP Virtual
Edition now defaults to TCP port 8443
o K51358480: The single-NIC BIG-IP VE may erroneously revert to the default
management httpd port after a configuration reload
Management interface
To mitigate this vulnerability for affected F5 products, you should permit
management access to F5 products only over a secure network. For more
information about securing access to BIG-IP systems, refer to K13309:
Restricting access to the Configuration utility by source IP address (11.x -
16.x) and K13092: Overview of securing access to the BIG-IP system.
Note: Until a fixed release is installed, authenticated users accessing the
Configuration utility will always be able to exploit this vulnerability.
TMUI httpd
Important: This section was last updated on July 8, 2020 at 17:00 Pacific time.
The mitigation provided below is based on the information available to F5 at
this time. It may not be a complete mitigation. However, F5 feels this
information is useful to our customers as it mitigates the unauthenticated
exploits currently known to us. As F5 becomes aware of any future variants, we
will continue to update this article.
To prevent unauthenticated attackers from exploiting this vulnerability, add a
LocationMatch configuration element to httpd. To do so, perform the following
procedure:
Note: Authenticated users will still be able to exploit the vulnerability,
independent of their privilege level.
Impact of workaround: The following mitigation adds an include statement to the
httpd properties. If your httpd properties contain an existing include
statement (the include statement is something other than the default of none),
you need to prepend/append your existing included configuration to the changes,
or it will be overwritten. For example, if your existing include statement is:
include "FileETag MTime Size"
Then you can append the LocationMatch statement in the mitigation to the
existing configuration as follows:
include 'FileETag MTime Size
<LocationMatch ";">
Redirect 404 /
</LocationMatch>
<LocationMatch "hsqldb">
Redirect 404 /
</LocationMatch>
'
You can perform the mitigation locally using the command line or remotely using
the iControl REST interface.
Command line
1. Log in to the TMOS Shell (tmsh) by entering the following command:
tmsh
2. Edit the httpd properties by entering the following command:
edit /sys httpd all-properties
Note: Running this command puts you into the vi editor.
3. Locate the line that starts with include none and replace it with the
following:
include '
<LocationMatch ";">
Redirect 404 /
</LocationMatch>
<LocationMatch "hsqldb">
Redirect 404 /
</LocationMatch>
'
4. Write and save the changes to the configuration file by entering the
following vi commands:
Esc
:wq!
5. When further prompted to Save Changes (y/n/e), enter y.
6. Save the configuration by entering the following tmsh command:
save /sys config
7. To activate the mitigation, restart the httpd service by entering the
following command:
restart sys service httpd
8. To exit tmsh, enter the following command:
quit
9. Ensure that the workaround is inserted in the configuration by comparing
the output of the following command to the configured LocationMatch
fragment that you inserted in step 3. To do so, enter the following
command:
grep -C1 'Redirect 404' /etc/httpd/conf/httpd.conf
The output should match the following:
<LocationMatch ";">
Redirect 404 /
</LocationMatch>
<LocationMatch "hsqldb">
Redirect 404 /
</LocationMatch>
Note: You may disregard any leading white spaces.
10. If you have a high availability (HA) configuration, you may now perform a
ConfigSync operation as documented in K14856: Performing a ConfigSync using
tmsh. No restart of httpd on the peer system should be required after
syncing. Confirm the mitigation is working using the
following instructions.
iControl REST
# Patch the httpd configuration
curl -ku admin:[password] https://[IP Address]/mgmt/tm/sys/httpd -H
content-type:application/json -X PATCH -d '{"include":"\n <LocationMatch \\\";\
\\">\n Redirect 404 /\n </LocationMatch>\n <LocationMatch \\\"hsqldb\\\">\n
Redirect 404 /\n </LocationMatch>\n "}' | jq .
# Save the system config
curl -ku admin:[password] https://[IP Address]/mgmt/tm/sys/config -H
"Content-Type: application/json" -X POST -d '{"command":"save"}' | jq .
# Verify the configuration
curl -ku admin:[password] https://[IP Address]/mgmt/tm/sys/httpd -H
"Content-Type: application/json" -X GET | jq .
If you have an HA configuration, you may also synchronize these changes with
the peers:
curl -ku admin:[password] https://[IP Address]/mgmt/tm/cm -H "Content-Type:
application/json" -X POST -d '{"command":"run","utilCmdArgs":"config-sync
to-group [Device Group Name]"}' | jq .
No restart of httpd on the peer should be required after syncing. Confirm the
mitigation is working using the following instructions.
Note: Running REST commands in rapid succession may cause issues. F5 advises
that you allow time for completion between commands.
Note: This mitigation previously included a step to restart httpd. It has been
determined that the restart is not required when using REST. Furthermore, the
restart command may cause issues with httpd. See K13292945: httpd failing to
start after restarting the service using the iControl REST API.
Note: F5 is aware of customers attempting to mitigate using tmsh modify sys
httpd allow instead of the recommended mitigation above. This has not been an
effective mitigation and devices using this have been compromised.
Verifying the mitigation
You can verify that the mitigation is working by using the following URL
syntax:
o https://[IP ADDRESS]/tmui/login.jsp/..;/login.jsp
o https://[IP ADDRESS]/hsqldb%0a
Before applying the mitigation, the pages load. After the mitigation, you
receive 404 responses.
Indicators of compromise
Important: This section was last updated on July 20, 2020 at 20:00 Pacific
time.
This information is based on the evidence F5 has seen on compromised devices,
which we feel are reliable indicators. It is important to note that not all
exploited systems may show the same indicators, and, indeed, a skilled attacker
may be able to remove traces of their work. It is not possible to prove a
device has not been compromised; when there is any uncertainty, you should
consider the device compromised.
All versions
F5 iHealth is updated with heuristics which flag indicators of compromise in
uploaded QKView diagnostic files. Refer to K27404821: Using F5 iHealth to
diagnose vulnerabilities for more information on using F5 iHealth. Through the
DevCentral GitHub, F5 has also released the CVE-2020-5902 IoC Detection Tool
. This is a Python script designed to run on the command line to locally
identify indicators of compromise.
If you are unable to use the CVE-2020-5902 IoC Detection Tool, you may also
perform some of the following checks manually:
o Look for the creation of aliases for the Advanced Shell (bash); the
presence of an alias is a strong indicator of a potential compromise. To do
so, run the following command:
awk '/^cli.alias/,/^}/' /config/bigip_*.conf
You may observe results similar to the following:
cli alias private list {
command bash
user root
}
If you see results similar to this, it is a possible indicator of
compromise. You should determine if the result is legitimate for your
configuration.
o Check for user 'systems' in /config/bigip_user.conf and /etc/passwd;
several exploits have created this non-standard user. To do so, run the
following commands:
awk '/systems/' /config/bigip_user.conf
grep -i 'systems' /etc/passwd
o Examine /var/log/audit for common patterns seen with exploits. To do so,
run the following command:
zgrep -e "create cli alias" -e "run /util bash /tmp" -e "list auth user
admin" -e "_alias" -e "create auth user" -e "load user credentials for
user" /var/log/audit*
You may see a result similar to the following:
Jul 14 12:59:57 [REDACTED] notice tmsh[13316]: 01420002:5: AUDIT - pid=
13316 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=
create cli alias private list command bash
If this command returns a similar result, it may be a possible indicator of
compromise. You need to examine the results to determine if you can account
for them due to legitimate activity.
o Check for files created in /usr/local/www/ since the CVE announcement. It
is common for exploit scripts to create files in this directory. If you
find any files, determine if they can be accounted for from legitimate
activity. If not, this is a strong indicator of compromise. To check files,
run the following command:
touch -t 202006290100 /tmp/kbtime; find /usr/local/www/ -type f -newer /tmp
/kbtime -ls;
Additionally, refer to the following articles:
o K60058401: URI logging with HTTPD to audit requests sent to TMUI / GUI
o K11438344: Considerations and guidance when you suspect a security
compromise on a BIG-IP system for an overview
Versions prior to BIG-IP 14.1.0
In versions earlier than BIG-IP 14.1.0, with the default configuration, you can
examine /var/log/audit and /var/log/ltm as follows. There is no supported
mechanism to expose additional log entries.
To examine the logs, use the following command:
zgrep '%tmui' /var/log/audit* /var/log/ltm*
Log entries similar to the following are indicators of possible compromise:
audit.1:Jul 6 15:33:38 [REDACTED] notice tmsh[27903]: 01420002:5: AUDIT -
Cannot load user credentials for user "%tmui" Current session has been
terminated.
ltm.1:Jul 6 15:33:38 [REDACTED] notice tmsh[27903]: 01420003:5: Cannot load
user credentials for user "%tmui" Current session has been terminated.
BIG-IP 14.1.0 and later
In BIG-IP 14.1.0 and later, you can examine the output of journalctl for
evidence of attempts to exploit this vulnerability by entering the following
command in bash:
journalctl /bin/logger | grep -F ';'
The command output may appear similar to the following example on a device
where compromise was attempted; note that some elements are redacted (normally
the complete URL is visible, along with the IP address that sent the request):
Jul 06 12:59:01 hostname logger[29929]: [ssl_acc] nnn.nnn.nnn.nnn - - [06/Jul/
2020:12:59:01 +0000] "/[REDACTED]/..;/[REDACTED]" 200 252
If any log entries are shown, this may be an indicator of an attempt to
compromise the BIG-IP system. Take specific note of the second to last value in
the line, in this case 200; the HTTP Response Code. A 200 indicates that the
request was successful, which is a strong indicator of a successful exploit. A
404 response code means the requested item was not found. This may be a sign of
an attempted compromise or a scanner being run against the device. You may also
see 404 requests logged on devices using mitigation or which are running fixed
software. The requests are still being made, but they are unsuccessful.
Note: Journal log entries are rotating and limited to ~20 MB and therefore may
contain limited historical information.
Note: These log entries are only created by unauthenticated attacks.
Authenticated attackers do not leave this record behind.
Other indicators of compromise may include unexpected modifications to any
files, configurations, or running processes. F5 has iHealth heuristics designed
to detect unknown processes running (Heuristic H511618) and also heuristics
designed to detect when the Configuration utility has been exposed to the
Internet through the management interface (H444724) or when a self IP address
has Port Lockdown set to Allow All (H458565).
Note: Lack of log entries or heuristic reports do not categorically indicate
that a unit has not been compromised. A skilled attacker can remove evidence of
compromise, including log files, following successful exploitation.
Acknowledgements
F5 would like to acknowledge Mikhail Klyuchnikov of Positive Technologies for
bringing this issue to our attention and for following the highest standards of
coordinated disclosure.
F5 would like to acknowledge Rich Mirch, Senior Adversarial Engineer, and Chase
Dardaman, Senior Adversarial Engineer, from TeamARES of Critical Start, Inc.
for bringing an issue with the original mitigation to our attention and for
following the highest standards of coordinated disclosure.
Supplemental Information
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K84554955: Overview of BIG-IP systems software upgrades
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K46122561: Restricting access to the management port using network firewall
rules
o K11438344: Considerations and guidance when you suspect a security
compromise on a BIG-IP system
o DevCentral: Traffic Management User Interface Vulnerability: How to
mitigate
- - ------------------------------------------------------------------------------
K31301245:TMUI CSRF vulnerability CVE-2020-5904
Security Advisory
Original Publication Date: 01 Jul, 2020
Latest Publication Date: 08 Jul, 2020
Security Advisory Description
A cross-site request forgery (CSRF) vulnerability in the Traffic Management
User Interface (TMUI), also referred to as the Configuration utility, exists in
an undisclosed page. (CVE-2020-5904)
Impact
An attacker may be able to use the session of an administrator user to execute
TMOS Shell (tmsh) commands on the BIG-IP system. This vulnerability affects
only the control plane, and an administrator user must be logged in for the
exploit to be possible.
Security Advisory Status
F5 Product Development has assigned ID 905905 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+----------------+------+----------+----------+----------+------+-------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to |introduced|Severity |score^|component or |
| | |be |in | |1 |feature |
| | |vulnerable| | | | |
+----------------+------+----------+----------+----------+------+-------------+
| |16.x |None |16.0.0 | | | |
| +------+----------+----------+ | | |
| |15.x |15.0.0 - |15.1.0.4 | | | |
| | |15.1.0 | | | | |
| +------+----------+----------+ | | |
|BIG-IP (LTM, |14.x |14.1.0 - |14.1.2.6 | | | |
|AAM, AFM, | |14.1.2 | | | | |
|Analytics, APM, +------+----------+----------+High |8.8 |Configuration|
|ASM, DNS, FPS, |13.x |13.1.0 - |13.1.3.4 | | |utility |
|GTM, Link | |13.1.3 | | | | |
|Controller, PEM)+------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.2 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+----------------+------+----------+----------+----------+------+-------------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
|BIG-IQ +------+----------+----------+ | | |
|Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+----------------+------+----------+----------+----------+------+-------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+----------------+------+----------+----------+----------+------+-------------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability for affected F5 products, you should only permit
management access to F5 products over a secure network and limit shell access
to trusted users. For more information about securing access to BIG-IP systems,
refer to K13309: Restricting access to the Configuration utility by source IP
address (11.x - 15.x) and K13092: Overview of securing access to the BIG-IP
system.
Supplemental Information
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- - ------------------------------------------------------------------------------
K00091341:TMOS Shell privilege escalation vulnerability CVE-2020-5907
Security Advisory
Original Publication Date: 01 Jul, 2020
Security Advisory Description
An authorized user provided with access only to the TMOS Shell (tmsh) may be
able to conduct arbitrary file read/writes via the built-in sftp functionality.
(CVE-2020-5907)
Impact
A malicious actor who has gained access to a restricted account with tmsh
access (for example, a user who has Terminal Access set to tmsh and not
Advanced shell) may be able to read or write to arbitrary files on the file
system using the built-in sftp functionality and use that access to construct a
privilege escalation attack in order to gain root access to the BIG-IP system.
Security Advisory Status
F5 Product Development has assigned ID 859089 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.1.0.4 | | | |
| | |15.1.0 | | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |14.1.2.4 | | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | | |
|AFM, Analytics, +------+----------+----------+ | | |
|APM, ASM, DNS, FPS,|13.x |13.1.0 - |13.1.3.4 |Medium |6.6 |tmsh |
|GTM, Link | |13.1.3 | | | | |
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.2 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.5.2 - |11.6.5.2 | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, you should permit connectivity access to the
affected F5 products only over a secure network and restrict access for the
affected systems to only trusted users. For more information, refer to the
following articles:
o K13309: Restricting access to the Configuration utility by source IP
address (11.x - 15.x)
o K13092: Overview of securing access to the BIG-IP system
Additionally, you can mitigate this vulnerability by enabling Appliance mode
for vulnerable BIG-IP versions. Appliance mode limits the BIG-IP system
administrative access to match that of a typical network appliance and
prohibits use of utilities such as sftp.
Impact of action: Appliance mode is designed to meet the needs of customers in
especially sensitive sectors by limiting the BIG-IP system administrative
access to match that of a typical network appliance and not a multi-user UNIX
device.
For information about Appliance mode, refer to the following article:
o K12815: Overview of Appliance mode
Acknowledgements
F5 would like to acknowledge Lukasz Mikula of Afine for bringing this issue to
our attention and for following the highest standards of coordinated
disclosure.
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
systems (11.4.x and later)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXxkrBeNLKJtyKPYoAQi8vA/+JoMekEbymgSus1i0eafmTKujPJGD1oB1
e+vqLVGhSx2xW1ci/G+2uUrehDJV5mKUrF+Dj/FHnN8UIxn6E4iebrKQrrxFm2rf
3cktPnFJMRjq4a9Bt0TdS5/xqSGBd86OTdfc3Ao8SdlJVS8zne/5mdyqVrzTjPBn
gh9UZh8TFcgfoxHGHZKaf+PLwpPQNUklxca9PSmQF4SE8IqY87KzUKHyVZ9mlR7m
TRDpwuGSMAqPs4yZ+KvxaxFwRVUv/xjKrqntKuRp2YEPfjpBdyobcmiZQBoeky+W
qqX7VmJtjff1ZshMY1SZUsP+2fIgwK0YA4/AgY31Pd9Dh3OGhw0L6p0k4WD1rKkM
l4bpkknQj+GZicTdBeTmccWAV+NLUTtml4/X79WQ/UTKV3YP7JmLoSZ1xpekRrzz
cEjfKNmygfLKerlWQEzJB/tIlXX7yp2cviae0kp2AeDR69jzxP2qPpIf1C3NIZ+/
ivoZ5CmBtwUpkBsaRPERnp6TvaOLWQ/2sgbv2aqOub4V0jsCDT9OO8gjbQJ4waru
r5w5VBK/G7HaQnIqJ4dw20e+f8cbjxXmeSunt+aiWOMD9Q3UruDFIVTawm9mWkI2
mh3B22MonLCwcIgowIUL1lMl0GrSuMzicm7pNHAS7VAio1QJ9L2KVpxhwujMcz3p
GT179ozc070=
=FtjE
-----END PGP SIGNATURE-----