ESB-2018.1065 - [Appliance] BIG-IP ASM: Cross-site request forgery - Existing account 2018-04-09

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1065
           The BIG-IP ASM CSRF token may fail to renew when the
                  original web server renews its session
                               9 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BIG-IP ASM
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Cross-site Request Forgery -- Existing Account
Resolution:        Mitigation

Original Bulletin: 
   https://support.f5.com/csp/article/K70517410

- --------------------------BEGIN INCLUDED TEXT--------------------

K70517410: The BIG-IP ASM CSRF token may fail to renew when the original web
server renews its session

Security Advisory

Original Publication Date: Apr 06, 2018

Applies to (see versions):

  o Product: BIG-IP, BIG-IP ASM
      - 13.1.0, 13.0.0, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.3, 11.6.2,
        11.6.1, 11.6.0, 11.5.5, 11.5.4

Security Advisory Description

This issue occurs when all of the following conditions are met:

  o The BIG-IP ASM cross-site request forgery (CSRF) protection feature is
    enabled in a security policy.
  o The CSRF token (CSRT) expiration time is disabled (by default) in the
    security policy.
  o The original web server (OWS) changes its session.
  o The client browser remains open and the CSRT has not expired or been
    deleted.

Impact

F5 believes that the only potential attack scenario may occur in a shared
desktop environment. If the CSRT remains unchanged across multiple user
sessions in the application, an attacker could log in to a vulnerable website
to collect the CSRT, then log out and wait for the victim to log in, and then
perform a CSRF attack against the victim with the still-live CSRT.

Symptoms

As a result of this issue, you may encounter the following symptom:

  o The CSRT does not renew when the OWS changes its session.

Security Advisory Status

F5 Product Development has assigned ID 683241 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+------------------+-----------------+----------------------------------------+
|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
+------------------+-----------------+----------------------------------------+
|Release           |None             |None                                    |
+------------------+-----------------+----------------------------------------+
|Point release/    |13.1.0.4         |K9502: BIG-IP hotfix and point release  |
|hotfix            |                 |matrix                                  |
+------------------+-----------------+----------------------------------------+

Security Advisory Recommended Actions

Workaround

To mitigate this issue, you can enable the Expiration Time setting of the CSRF
Protection for the affected security policy. When this setting is enabled, the
CSRT is set with a default expiration time of 600 seconds, which should be more
than a sufficient amount of time to reduce the feasibility of an attack. You
can further reduce the expiration time, however, reducing the CSRT expiration
may cause many false positives in some scenarios. To enable the Expiration Time
setting of the CSRF Protection, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a
negative impact on your system.

 1. Log in to the Configuration utility.
 2. Navigate to Security > Application Security > CSRF Protection.
 3. In the Current edited policy setting, select the security policy you want.
 4. In the Expiration Time setting, select Enabled.
 5. To save the changes, click Save.
 6. When you are ready to deploy the modified policy, click Apply Policy.

Acknowledgements

F5 would like to acknowledge Niall Caffrey of the Edgescan company for bringing
this issue to our attention, and for following the highest standards of
responsible disclosure.

Supplemental Information

  o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of AskF5 Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents
  o K11930: Overview of the BIG-IP ASM CSRF protection feature

Applies to (see versions):

  o BIG-IP ASM:
      - 13.1.0, 13.0.0, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.3, 11.6.2,
        11.6.1, 11.6.0, 11.5.5, 11.5.4

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWssMP4x+lLeg9Ub1AQgmvw/+IKFWjcaERovyJ5+dhGmJBSs4CpgONb74
4HwpmDb55t+G/4vyA2NajysZ91lf0AyxaXk04j8EA6h7OuqHkDrm4lNA8fQMaNls
ksNcdCLw1YX/RL2E9wGTRocXXuFs1WWto2Nr8YwSvSZZprW76qGWtDK3h6g1EKM6
FSvJ5Dm99hDokyHqFIwaucexY7ZfsJP1OIYTIW5ZjSsBCDFa3XitcGhgi8cGlZ9B
x+e3aGoT4YnGmhueeilsomHgdrN+fEo7Ca2ZbmEIfuDGt6IDZL/z33+9FcXoII/2
ZQ+AFShWnIRgf9IiyBSaw8z9fHE++x2XRWKahyUn3CbV0ZA1jgpyLghj/L1h4DQf
2TAxD73O7nSKmeH+NLkfqrSJjpa//5GLMyaM5qCbPdzysBAXnQ7kgNshY6bPmPI9
nLQ1TU3kifkusJH7f9aKVYRHNIBqooZySZtriaLL9VxqL1/VIVFHTHCMFVbNF8AA
mEvOc6g618ZSlg2j6Gs5nueEF5dndOL1rgP6ClGY0y3G4qSOBV7SCTD9+vlU7rbE
9N29qyQCer+x5CBa3rDYbYs8vpMs7GJS17Lq0Rlt/OzrX11WLcqnuIhoA9QVdB0+
kArre9Y+m4ptPY+61CBXIR2ZgFPP0iW3+0M9mzQ91QJe6eydMJSSV7zY+B0m2BCB
d41pGeRnC0M=
=i2x9
-----END PGP SIGNATURE-----

« Back to bulletins