ESB-2018.1065.2 - UPDATE [Appliance] BIG-IP ASM: Cross-site request forgery - Existing account 2018-06-26

Printable version
PGP/GPG verifiable version

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

           The BIG-IP ASM CSRF token may fail to renew when the
                  original web server renews its session
                               26 June 2018


        AusCERT Security Bulletin Summary

Product:           BIG-IP ASM
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Cross-site Request Forgery -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin:

Revision History:  June  26 2018: Patches have been made available for
                                  affected products.
                   April  9 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K70517410: The BIG-IP ASM CSRF token may fail to renew when the original web
server renews its session

Security Advisory

Original Publication Date: Apr 06, 2018
Updated Date: Jun 26, 2018

Security Advisory Description

This issue occurs when all of the following conditions are met:

  * The BIG-IP ASM cross-site request forgery (CSRF) protection feature is
    enabled in a security policy.
  * The CSRF token (CSRT) expiration time is disabled (by default) in the
    security policy.
  * The original web server (OWS) changes its session.
  * The client browser remains open and the CSRT has not expired or been


F5 believes that the only potential attack scenario may occur in a shared
desktop environment. If the CSRT remains unchanged across multiple user
sessions in the application, an attacker could log in to a vulnerable website
to collect the CSRT, then log out and wait for the victim to log in, and then
perform a CSRF attack against the victim with the still-live CSRT.


As a result of this issue, you may encounter the following symptom:

  * The CSRT does not renew when the OWS changes its session.

Security Advisory Status

F5 Product Development has assigned ID 683241 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
|Release           |11.5.6           |K2200: Most recent versions of F5       |
|                  |                 |software                                |
|Point release/    |         |K9502: BIG-IP hotfix and point release  |
|hotfix            |         |matrix                                  |

Security Advisory Recommended Actions


To mitigate this issue, you can enable the Expiration Time setting of the CSRF
Protection for the affected security policy. When this setting is enabled, the
CSRT is set with a default expiration time of 600 seconds, which should be more
than a sufficient amount of time to reduce the feasibility of an attack. You
can further reduce the expiration time; however, reducing the CSRT expiration
may cause many false positives in some scenarios. To enable the Expiration Time
setting of the CSRF Protection, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a
negative impact on your system.

 1. Log in to the Configuration utility.
 2. Navigate to Security > Application Security > CSRF Protection.
 3. In the Current edited policy setting, select the security policy you want.
 4. In the Expiration Time setting, select Enabled.
 5. To save the changes, click Save.
 6. When you are ready to deploy the modified policy, click Apply Policy.


F5 would like to acknowledge Niall Caffrey of the Edgescan company for bringing
this issue to our attention and for following the highest standards of
responsible disclosure.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins