ESB-2019.0585 - [Appliance] F5 BIG-IP products: Access confidential data - Remote/unauthenticated 2019-02-26

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0585
           BIG-IP APM web pages may be indexed by search engines
                             26 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://support.f5.com/csp/article/K88126845

- --------------------------BEGIN INCLUDED TEXT--------------------

K88126845:BIG-IP APM web pages may be indexed by search engines

Security Advisory

Original Publication Date: 26 Feb, 2019

Security Advisory Description

This issue occurs when all of the following conditions are met:

  o Users connect to the BIG-IP APM system through the internet.
  o The BIG-IP APM system is reachable by search engines.

Impact

BIG-IP APM web pages may be enumerated and other data may be disclosed.

Symptoms

As a result of this issue, you may encounter the following symptom:

  o Web pages for your BIG-IP APM system are indexed by search engines.

Security Advisory Status

F5 Product Development has assigned ID 449232 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+------------------+------------------+---------------------------------------+
|Type of fix       |Fixes introduced  |Related articles                       |
|                  |in                |                                       |
+------------------+------------------+---------------------------------------+
|Release           |11.6.0            |K2200: Most recent versions of F5      |
|                  |                  |software                               |
+------------------+------------------+---------------------------------------+
|Point release/    |None              |None                                   |
|hotfix            |                  |                                       |
+------------------+------------------+---------------------------------------+

Security Advisory Recommended Actions

Workaround

  o Updating the robots.txt file
  o Creating an iRule that responds with the Disallow directive

Updating the robots.txt file

To mitigate this issue, you can instruct web crawlers to avoid the BIG-IP web
pages by updating the robots.txt file. In the robots.txt file on the backend
server that is accessed through the virtual server, add the following lines:

User-Agent: *
Disallow: /

Impact of action: Performing the suggested action should not have a negative
impact on your system.

Creating an iRule that responds with the Disallow directive

To work around this issue using an iRule, you can create a rule that matches
requests for the /robots.txt file and responds with the Disallow directive. To
do so, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a
negative impact on your system.

 1. Log in to the BIG-IP APM Configuration utility.
 2. Navigate to Local Traffic > iRules.
 3. Click Create.
 4. In the Name box, enter a name for the iRule.
 5. In the Definition box, enter the following code:

    when HTTP_REQUEST {
       if { [string tolower [HTTP::path]] ends_with "/robots.txt" }{
          HTTP::respond 200 content "User-agent: *\r\nDisallow: /"
       }
    }

 6. Click Finished.
 7. Navigate to Local Traffic > Virtual Servers.
 8. In the Resources column, click Edit for the affected virtual server.
 9. Under iRules, click Manage.
10. In the Available box, click the name of the newly created iRule and move it
    to the Enabled box.
11. Click Finished.

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of AskF5 Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 13.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXHTAh2aOgq3Tt24GAQgKxw/+O66DrX3eIx/3l0pqz7OCbMXnVrcxj3O9
KRoB8VN2lQsYbb+s0XoE8kZt65YcxCztHvizXG9VFd0vDfY3yQ9Omtrdj5UGQmno
w03xJgq5bIskY51trByLzy05kbD3V1+IlE2D+ulkQHYEmcsPJe5YKmHRNfmMw3bF
Hlm7NcuzJOrJZsLJxwwU9aJ2yLLhCoH7/6DxyKyB7T8reHU16f3G6Aw5vc4T/lQi
dYRKvFUs9DTeW5Z+Ps9mxbiQymfBfcOAteh2AKvQPNk3tfa+tS2p9T7HDJVwOf9O
Ckn3vFWRt0E7moHDNxTjuUmLiw3YP2G5SE7AaBh7M+Y8VwdfpXhQ54HGF44Vkdt2
YfSHE5H83UMOyoESUBGGgMmNtqMD2HZmCKj29Rf1b2NlrONICFDn4bOP7cy7f+D4
XAnbX/+I/4u3RhHM+ed7pf5ASjkl8NkpRlgO432CUbF9CioIivqEvB4BiRl1Id6z
O4vnbOLJRMje/Dol0c6xZFM+vT8Ig61buVgJWwQuRV+gvepZr6w+hZOq7bYwgbqw
YDeIz/wSw/jT5mHkFjkTmP8g9Eb4jWTp20h/sBIRN3uSlk98ne2uFmGcDoW7NXUd
oIkON+E4/j6bRz8KpPExol9s4Raud9OSzuZmJf6jJeYjQi747GT7v1qVTTpqBv1V
4Ijfq63mu3o=
=FdAI
-----END PGP SIGNATURE-----

« Back to bulletins