copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ASB-2012.0088 - [Appliance] F5 FirePass: Execute arbitrary code/commands - Remote with user interaction

Date: 18 June 2012

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0088
                   FirePass SQL injection vulnerability
                               18 June 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              F5 FirePass
Operating System:     Network Appliance
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Patch/Upgrade
Member content until: Wednesday, July 18 2012

OVERVIEW

        A SQL injection vulnerability has been fixed in F5's FirePass
        Controller.


IMPACT

        F5 has provided the following information about the vulnerability: [1]
        
        "The FirePass controller may not perform adequate user input validation
        on particular fields."
        
        "An unauthenticated attacker may be able to exploit the vulnerability
        by way of SQL injection."


MITIGATION

        Users should either upgrade to a version that is not vulnerable, or
        install FirePass HF-387894-1. [1]


REFERENCES

        [1] SOL13656: FirePass SQL injection vulnerability
            http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13656.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT96SmO4yVqjM2NGpAQIYkw/8CvEGrs5JxZFVVtqL2F7h+WY/q4JguYix
ZuNc8GJoE2tiF27gMIsyB4yQytflpJd2fBd4nZEDP4fxybEz9Df1trdS2hhYOrtq
21k9U0Hi83T9AuB3uY3xfKn5sXuUMmaB4fz4tymKwtnOlMclCGfjN+Y3Q6fPKj2V
T+c+23nWfVImjGxsJnvbMNC0seLHM9GXff6k4G/HfuLfBdVU/H8nJzS+Fwr2jb3i
/rP3xAsqeDxUoP57ke0XeJlly0J18xifSecSR+pWbHYfUdSlsZFuwzYg+GImzHF5
2GXYFXpA7202EpI3XnzkP36P8o/4iWA9Ptbu1iFbIaJkC02BqUsxsR6APPdvhYfL
SLYtXFfE0cqcrquKcpzmvJi1QPpTvZ2RdvGCRLeufeySnRLpeERE9TXmLMY3dmdR
HSTQbRirksVjaXb86hjYK93xHTYYiJTLyI/GE09QRJlDXSyriGCaLvg02uU4iJbL
DAupFlgiSswdn6aiJJYTVuxklAX4MBaIwKmpaUzCppGEw1quJj27yrnraVpbZ5TN
SF6wOWbq/NBxbdDpz4tM9GTjoGBA6KDz+EL02CXYpHqM3PikXFRab/q6eZTQxYM6
fclQoPKhhT88nkQGNJGnU2KJIjuASjIFx+t6WBFXcu6YhsIhKF8MrfPgWwPEkzrz
vjgWFWbaFQk=
=YBOR
-----END PGP SIGNATURE-----