Date: 22 June 2009
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2009.0143 AUSCERT Advisory
[Appliance]
f5 FirePass: Cross-site Scripting
22 June 2009
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: FirePass
Operating System: Network Appliance
Impact: Cross-site Scripting
Access: Remote/Unauthenticated
CVE Names: CVE-2009-2119
Member content until: Friday, July 10 2009
Revision History: June 22 2009: Added CVE
June 12 2009: Initial Release
OVERVIEW:
A security vulnerability has been corrected in f5 FirePass.
IMPACT:
The vendor has provided the following information regarding this
vulnerability:
"A cross-site scripting (XSS) vulnerabilities exist in the FirePass
logon page, which is accessible prior to authentication. The affected
FirePass page fails to fully sanitize HTTP request input before the
web page content is sent to the browser.
It is possible for a remote attacker to create web pages, emails, or
other media containing hyperlinks to the vulnerable FirePass web page.
These hyperlinks may include executable code or other malicious data.
Following one of these hyperlinks to the FirePass controller could
result in malicious code execution on the client side, disclosure of
sensitive information, or other exploits." [1]
FirePass versions 5.5 - 5.5.2 and 6.0 - 6.0.3 are affected. [1]
MITIGATION:
f5 have released a patch to correct this vulnerability which is
available from the vendor's download site. [2]
REFERENCES:
[1] SOL10143: Cross-Site Scripting Vulnerabilities in the FirePass
logon
https://support.f5.com/kb/en-us/solutions/public/10000/100/sol10143.html
[2] f5 Networks - Downloads Overview
https://downloads.f5.com/esd/index.jsp
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKPt2mNVH5XJJInbgRAohyAJ9bVbdDpFDCoIX1Nc77sWQkafD7OwCfT2wc
jHoPV8JzZ/WV8GzBnBn9hK8=
=Gm+G
-----END PGP SIGNATURE-----
|