ESB-2018.0889.3 - UPDATE [Appliance] F5 BIG-IP Products: Denial of service - Remote with user interaction 2018-07-31

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.0889.3
               K34035645:Multiple Wireshark vulnerabilities
                               31 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP Products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-7421 CVE-2018-7420 CVE-2018-7419
                   CVE-2018-7418 CVE-2018-7417 CVE-2018-7337
                   CVE-2018-7336 CVE-2018-7335 CVE-2018-7334
                   CVE-2018-7333 CVE-2018-7332 CVE-2018-7331
                   CVE-2018-7330 CVE-2018-7329 CVE-2018-7328
                   CVE-2018-7327 CVE-2018-7326 CVE-2018-7325
                   CVE-2018-7324 CVE-2018-7323 CVE-2018-7322
                   CVE-2018-7321 CVE-2018-7320 

Reference:         ESB-2018.0561

Original Bulletin: 
   https://support.f5.com/csp/article/K34035645

Revision History:  July  31 2018: Fix introduced for BIG-IP product version 
				   12.1.3
                   March 28 2018: Added operating system
                   March 28 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K34035645: Multiple Wireshark vulnerabilities

Security Advisory



Original Publication Date: Mar 23, 2018
Updated Date: Jul 31, 2018

Applies to (see versions):

  o Product: BIG-IQ, BIG-IQ Centralized Management
      - 5.4.0, 5.3.0, 5.2.0, 5.1.0, 5.0.0, 4.6.0
  o Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM,
    BIG-IP ASM, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP GTM, BIG-IP Link
    Controller, BIG-IP LTM, BIG-IP PEM, BIG-IP WebAccelerator
      - 13.1.0, 13.0.0, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.3, 11.6.2, 11.6.1,
        11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.2.1
  o Product: Enterprise Manager
      - 3.1.1
  o Product: F5 iWorkflow
      - 2.3.0, 2.2.0, 2.1.0, 2.0.2, 2.0.1
  o Product: ARX, ARX
      - 6.4.0, 6.3.0, 6.2.0
  o Product: F5 WebSafe
      - 1.0.0
  o Product: Traffix SDC
      - 5.1.0, 4.4.0, 4.0.5
  o Product: Legacy Products, LineRate
      - 2.6.2, 2.6.1, 2.6.0, 2.5.3, 2.5.2, 2.5.1, 2.5.0
  o Product: BIG-IQ Cloud and Orchestration
      - 1.0.0

Security Advisory Description

  o CVE-2018-7320

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the SIGCOMP protocol
    dissector could crash. This was addressed in epan/dissectors/
    packet-sigcomp.c by validating operand offsets.

  o CVE-2018-7321

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/
    packet-thrift.c had a large loop that was addressed by not proceeding with
    dissection after encountering an unexpected type.

  o CVE-2018-7322

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/
    packet-dcm.c had an infinite loop that was addressed by checking for
    integer wraparound.

  o CVE-2018-7323

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/
    packet-wccp.c had a large loop that was addressed by ensuring that a
    calculated length was monotonically increasing.

  o CVE-2018-7324

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/
    packet-sccp.c had an infinite loop that was addressed by using a correct
    integer data type.

  o CVE-2018-7325

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/
    packet-rpki-rtr.c had an infinite loop that was addressed by validating a
    length field.

  o CVE-2018-7326

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/
    packet-lltd.c had an infinite loop that was addressed by using a correct
    integer data type.

  o CVE-2018-7327

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/
    packet-openflow_v6.c had an infinite loop that was addressed by validating
    property lengths.

  o CVE-2018-7328

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/
    packet-usb.c had an infinite loop that was addressed by rejecting short
    frame header lengths.

  o CVE-2018-7329

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/
    packet-s7comm.c had an infinite loop that was addressed by correcting
    off-by-one errors.

  o CVE-2018-7330

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/
    packet-thread.c had an infinite loop that was addressed by using a correct
    integer data type.

  o CVE-2018-7331

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/
    packet-ber.c had an infinite loop that was addressed by validating a
    length.

  o CVE-2018-7332

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/
    packet-reload.c had an infinite loop that was addressed by validating a
    length.

  o CVE-2018-7333

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/
    packet-rpcrdma.c had an infinite loop that was addressed by validating a
    chunk size.

  o CVE-2018-7334

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the UMTS MAC dissector
    could crash. This was addressed in epan/dissectors/packet-umts_mac.c by
    rejecting a certain reserved value.

  o CVE-2018-7335

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the IEEE 802.11 dissector
    could crash. This was addressed in epan/crypt/airpdcap.c by rejecting
    lengths that are too small.

  o CVE-2018-7336

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the FCP protocol dissector
    could crash. This was addressed in epan/dissectors/packet-fcp.c by checking
    for a NULL pointer.

  o CVE-2018-7337

    In Wireshark 2.4.0 to 2.4.4, the DOCSIS protocol dissector could crash.
    This was addressed in plugins/docsis/packet-docsis.c by removing the
    recursive algorithm that had been used for concatenated PDUs.

  o CVE-2018-7417

    In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the IPMI dissector could
    crash. This was addressed in epan/dissectors/packet-ipmi-picmg.c by adding
    support for crafted packets that lack an IPMI header.

  o CVE-2018-7418

    In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the SIGCOMP dissector
    could crash. This was addressed in epan/dissectors/packet-sigcomp.c by
    correcting the extraction of the length value.

  o CVE-2018-7419

    In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the NBAP dissector could
    crash. This was addressed in epan/dissectors/asn1/nbap/nbap.cnf by ensuring
    DCH ID initialization.

  o CVE-2018-7420

    In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the pcapng file parser
    could crash. This was addressed in wiretap/pcapng.c by adding a block-size
    check for sysdig event blocks.

  o CVE-2018-7421

    In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the DMP dissector could go
    into an infinite loop. This was addressed in epan/dissectors/packet-dmp.c
    by correctly supporting a bounded number of Security Categories for a DMP
    Security Classification.

Impact

BIG-IP

A remote attacker can transmit crafted packets while a BIG-IP administrator
account runs the tshark utility with the affected protocol parsers via Advanced
Shell (bash). This causes the tshark utility to stop responding and may allow
remote code execution from the BIG-IP administrator account.

BIG-IQ, Enterprise Manager, F5 iWorkflow, ARX, LineRate, and Traffix SDC

There is no impact; these F5 products are not affected by this vulnerability.

Security Advisory Status

F5 Product Development has assigned ID 710705 (BIG-IP) to this vulnerability.
Additionally, BIG-IP iHealth may list Heuristic H34035645 on the Diagnostics >
Identified > Medium page.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases or hotfixes that
address the vulnerability, refer to the following table. For more information
about security advisory versioning, refer to K51812227: Understanding Security
Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |13.x  |13.1.0    |None      |          |      |          |
|BIG-IP (LTM, AAM,  |      |          |          |          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|APM, ASM, DNS, Edge|12.x  |12.1.3    |12.1.3.6  |          |      |          |
|Gateway, GTM, Link |      |          |          |Medium    |6.4   |Wireshark |
|Controller, PEM,   +------+----------+----------+          |      |          |
|WebAccelerator,    |      |          |Not       |          |      |          |
|WebSafe)           |11.x  |None      |applicable|          |      |          |
|                   |      |          |          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|ARX                |6.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Enterprise Manager |3.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |5.x   |None      |Not       |          |      |          |
|BIG-IQ Centralized |      |          |applicable|Not       |      |          |
|Management         +------+----------+----------+vulnerable|None  |None      |
|                   |4.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|BIG-IQ Cloud and   |1.x   |None      |Not       |Not       |None  |None      |
|Orchestration      |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|F5 iWorkflow       |2.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|LineRate           |2.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|Not       |      |          |
|Traffix SDC        +------+----------+----------+vulnerable|None  |None      |
|                   |4.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you can use the tshark utility to perform a
traffic capture to a file instead of using the affected protocol parsers.

Supplemental Information

  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW1/GHmaOgq3Tt24GAQjE1hAAlflVfvjuAI+6Xim5nlVgzJhKLGvDCsst
l5QQX7vtvKzoJiXOxzZyzI7nVlbypqHhkgyzwLd3i0THf9C9ntaXk/7SO7V3Ue0k
zIrxAKzSCDJA6zvfcD7gN++R4KiOrFRL31WT33xmieTSGqLHamdhoffY2+sN2pBv
PlrYn7BPpPCEAjdI98Ne17mOuAPTq7yY+yEfY9zD1XOF09rDR4qqXOLrVS5D+oYW
9lYu1+LJ0sIW5uCkhN154KNNDjeeOvYz3Zkmzj1He61UJIKLtZmVA/rjmE9Xv4kd
S8CzErX2VLxGh/Wrh5tv6H7HfJZ9BY6aZQMa7BVt40cSst2uEhHolcdqaeNow3uS
3jbbQQ/pmUqnmaIFY0xGmtFhSc+poaQUDUhdLW6BiWSiiRY0dex+s3ZUv7jnPXew
jVzXgUYuYr9Szn1nLCNYPNl/pEqFavLw1oIGRsFlE7FVp/4moF1jS7BQDX0tHKlI
Rwf6Fxe2ImYra/+gHn0RcyKRWjBSstCN2hVm/6TzPvW1CB5dsE8hbZzInmAil54w
AxFPyrbVkyMROAtobWrnsvn8pVMREisrGUVVCiyOb7rHPcJlU3Zf8LHY1BmQ60EM
oM2S8URgZNcK/NvrPYeGGdl80sRuCm5G/AL+TGKNVEkAFG3wUL+nkZ6TMo2MEEEG
P2KDq0tSE78=
=NCgV
-----END PGP SIGNATURE-----

« Back to bulletins