AusCERT - ASB-2012.0007 - [Appliance] BIG-IP LTM: Denial of service

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ASB-2012.0007 - [Appliance] BIG-IP LTM: Denial of service - Remote/unauthenticated
Date: 12 January 2012
References: ESB-2011.0870.2 ASB-2011.0076.2 ASB-2012.0009

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0007
        A denial of service vulnerability has been fixed in BIG-IP
                              12 January 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              BIG-IP LTM
Operating System:     Network Appliance
Impact/Access:        Denial of Service -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2011-3192  
Member content until: Saturday, February 11 2012
Reference:            ASB-2011.0076.2
                      ESB-2011.0870.2

Comment: Please note that this vulnerability is being actively exploited.

OVERVIEW

        A denial of service vulnerability has been fixed in BIG-IP.


IMPACT

        The National Vulnerability Database describes CVE-2011-3192 as follows:
        
        "The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through
        2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a
        denial of service (memory and CPU consumption) via a Range header that
        expresses multiple overlapping ranges, as exploited in the wild in
        August 2011..." [1]


MITIGATION

        The vendor has provided the following information about the
        fix:
        
        "Byte Range requests sent to the Admin GUI or an APM login page are now
        limited to at most 5 byte range sets, to prevent the vulnerability
        described in CVE-2011-3192." [2][3]
        
        The fix is included in versions 10.2.3 and 11.1.0. [2][3]


REFERENCES

        [1] Vulnerability Summary for CVE-2011-3192
            http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3192

        [2] Release Note: BIG-IP LTM and TMOS version 10.2.3
            http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes-LTM-10-2-3.html

        [3] Release Note: BIG-IP LTM and TMOS version 11.1.0
            http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-1-0.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTw9/Ju4yVqjM2NGpAQLXTg/+NU1BMlascjtIJDaPiPl7dt0S6HphQh6x
r4v9rOrta2q7yVgfSdVH2W8z9+7tFfzpohi9h9tNfX1mlcgMYq5+3n8dy1kh0DpI
YONcgX2XhxsGp9AE2XFI9PVMeo4jBXAES+aPTwOFVUX3hkGBWfLRf8qiFHOG8IfY
w26Is1EziPslW538KpAC7YqIFtrmV0ATPKAgzo5Htx0hWU0wu9rvVRzo3MdBMaaQ
9SekEDiQTNN8YujHcEYGPkE24Uf1Uhw1Fsb0ePKJIQeiGFGYKY0O42SXCvC7+ETO
HzEeejLEBFCEHvG1rnNB/FH1PUnDwVQg7RQyXX7VxGm8RaVGG4kBdAWNj7DkJKB3
GzVBahe2dyIMieF4fioks6NujJ7/CpCMmNh6S7gBsYQvjGtvh0xrYh0hswtvzQxc
SliRBmn+6+Vm9QRhSdMHtdX7u17OeD+EZOAGBkH8HznNvVyRKsrkydD4V29JwfH/
Df6itbQGZtrJRioai8NoMtMs6vOJG8DsUVvY+VqZqpSood/ztXpcitcVyBn61oxl
SaMFV9EgavJthT2SuEpOTdaNFT0BMtU6kAg2SNv0U2YQKYz/G4CC2lr5j35sqV63
C2KqLWF+IdAW7Q2FzsUa+cQQhiMWyWznqYrfi7mvXoXuPZxDgIGh8U8ZzsiT20wl
1HKcVxKX5h0=
=Ep7c
-----END PGP SIGNATURE-----