Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1518
MIT Kerberos 5 vulnerability
5 September 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP
ARX
Enterprise Manager
FirePass
BIG-IQ
Publisher: F5
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-4344 CVE-2014-4343 CVE-2014-4342
CVE-2014-4341
Reference: ESB-2014.1471
ESB-2014.1352
Original Bulletin:
http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15552.html
http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15547.html
http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15553.html
http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15561.html
Comment: This bulletin contains four (4) F5 security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- ------------------------------------------------------------------------------
SOL15552: MIT Kerberos 5 vulnerability CVE-2014-4341
Security AdvisorySecurity Advisory
Original Publication Date: 09/04/2014
Description
MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a
denial of service (buffer over-read and application crash) by injecting
invalid tokens into a GSSAPI application session. (CVE-2014-4341)
Impact
A remote attacker may be able to cause a denial-of-service (DoS) by injecting
invalid tokens into a GSSAPI application session.
Status
F5 Product Development has assigned ID 476157, ID 476871, ID 476872, (BIG-IP,
BIG-IQ, and Enterprise Manager) and ID 476378 (ARX) to this vulnerability, and
has evaluated the currently supported releases for potential vulnerability.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
Product Versions known Versions known to Vulnerable component
to be vulnerable be not vulnerable or feature
BIG-IP LTM 11.0.0 - 11.6.0 None Authentication profiles,
10.0.0 - 10.2.4 Configuration utility
remote authentication
BIG-IP AAM 11.4.0 - 11.6.0 None Authentication profiles,
Configuration utility remote
authentication
BIG-IP AFM 11.3.0 - 11.6.0 None Authentication profiles,
Configuration utility remote
authentication
BIG-IP 11.0.0 - 11.6.0 None Authentication profiles,
Analytics Configuration utility remote
authentication
BIG-IP APM 11.0.0 - 11.6.0 None Authentication profiles,
10.1.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP ASM 11.0.0 - 11.6.0 None Authentication profiles,
10.0.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP Edge 11.0.0 - 11.3.0 None Authentication profiles,
Gateway 10.1.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP GTM 11.0.0 - 11.6.0 None Authentication profiles,
10.0.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP Link 11.0.0 - 11.6.0 None Authentication profiles,
Controller 10.0.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP PEM 11.3.0 - 11.6.0 None Authentication profiles,
Configuration utility remote
authentication
BIG-IP PSM 11.0.0 - 11.4.1 None Authentication profiles,
10.0.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP 11.0.0 - 11.3.0 None Authentication profiles,
WebAccelerator 10.0.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP WOM 11.0.0 - 11.3.0 None Authentication profiles,
10.0.0 - 10.2.4 Configuration utility remote
authentication
ARX 6.0.0 - 6.4.0 None ARX GUI and client
authentication
Enterprise 3.0.0 - 3.1.1 None Configuration utility remote
Manager 2.1.0 - 2.3.0 authentication
FirePass 7.0.0 None
6.0.0 - 6.1.0
BIG-IQ Cloud 4.0.0 - 4.3.0 None Configuration utility remote
authentication
BIG-IQ Device 4.2.0 - 4.3.0 None Configuration utility remote
authentication
BIG-IQ 4.0.0 - 4.3.0 None Configuration utility remote
Security authentication
Recommended action
If the previous table lists a version in the Versions known to be not
vulnerable column, you can eliminate this vulnerability by upgrading to the
listed version. If the table does not list any version in the column, then no
upgrade candidate currently exists.
To mitigate this vulnerability, you can restrict communication between the
affected F5 device and the authentication server to an isolated VLAN.
- ------------------------------------------------------------------------------
SOL15547: MIT Kerberos 5 vulnerability CVE-2014-4342
Security AdvisorySecurity Advisory
Original Publication Date: 09/04/2014
Description
MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote
attackers to cause a denial of service (buffer over-read or NULL pointer
dereference, and application crash) by injecting invalid tokens into a GSSAPI
application session. (CVE-2014-4342)
Impact
A remote attacker may be able to cause a denial-of-service (DoS) (buffer
over-read or NULL pointer dereference, and application crash) by injecting
invalid tokens into a GSSAPI application session.
Status
F5 Product Development has assigned ID 476157, 476871, 476872 (BIG-IP, BIG-IQ,
and Enterprise Manager) and ID 476378 (ARX) to this vulnerability, and has
evaluated the currently supported releases for potential vulnerability.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
Product Versions known Versions known to Vulnerable component
to be vulnerable be not vulnerable or feature
BIG-IP LTM 11.0.0 - 11.6.0 10.0.0 -10.1.0 Authentication profiles,
10.0.0 - 10.2.4 Configuration utility
remote authentication
BIG-IP AAM 11.4.0 - 11.6.0 None Authentication profiles,
Configuration utility remote
authentication
BIG-IP AFM 11.3.0 - 11.6.0 None Authentication profiles,
Configuration utility remote
authentication
BIG-IP 11.0.0 - 11.6.0 None Authentication profiles,
Analytics Configuration utility remote
authentication
BIG-IP APM 11.0.0 - 11.6.0 10.1.0 Authentication profiles,
10.1.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP ASM 11.0.0 - 11.6.0 10.0.0 - 10.1.0 Authentication profiles,
10.0.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP Edge 11.0.0 - 11.3.0 10.1.0 Authentication profiles,
Gateway 10.1.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP GTM 11.0.0 - 11.6.0 10.0.0 - 10.1.0 Authentication profiles,
10.0.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP Link 11.0.0 - 11.6.0 10.0.0 - 10.1.0 Authentication profiles,
Controller 10.0.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP PEM 11.3.0 - 11.6.0 None Authentication profiles,
Configuration utility remote
authentication
BIG-IP PSM 11.0.0 - 11.4.1 10.0.0 - 10.1.0 Authentication profiles,
10.0.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP 11.0.0 - 11.3.0 10.0.0 - 10.1.0 Authentication profiles,
WebAccelerator 10.0.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP WOM 11.0.0 - 11.3.0 10.0.0 - 10.1.0 Authentication profiles,
10.0.0 - 10.2.4 Configuration utility remote
authentication
ARX 6.0.0 - 6.4.0 None ARX GUI and client
authentication
Enterprise 3.0.0 - 3.1.1 None Configuration utility remote
Manager 2.1.0 - 2.3.0 authentication
FirePass None 7.0.0 None
6.0.0 - 6.1.0
BIG-IQ Cloud 4.0.0 - 4.3.0 None Configuration utility remote
authentication
BIG-IQ Device 4.2.0 - 4.3.0 None Configuration utility remote
authentication
BIG-IQ 4.0.0 - 4.3.0 None Configuration utility remote
Security authentication
Recommended action
BIG-IP, BIG-IQ, Enterprise Manager
If the previous table lists a version in the Versions known to be not
vulnerable column, you can eliminate this vulnerability by upgrading to the
listed version. If the table does not list any version in the column, then no
upgrade candidate currently exists.
To mitigate this vulnerability, you can restrict communication between the
BIG-IP, BIG-IQ, or Enterprise Manager devices and the remote authentication
servers to an isolated VLAN.
ARX
If the previous table lists a version in the Versions known to be not
vulnerable column, you can eliminate this vulnerability by upgrading to the
listed version. If the table does not list any version in the column, then no
upgrade candidate currently exists.
- ------------------------------------------------------------------------------
SOL15553: Kerberos vulnerability CVE-2014-4343
Security AdvisorySecurity Advisory
Original Publication Date: 09/04/2014
Description
Double free vulnerability in the init_ctx_reselect function in the SPNEGO
initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5)
1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial
of service (memory corruption) or possibly execute arbitrary code via network
traffic that appears to come from an intended acceptor, but specifies a
security mechanism different from the one proposed by the initiator.
(CVE-2014-4343)
Impact
An attacker may be able to cause a denial-of-service (DoS) to application that
uses the Kerberos authentication or execute malicious code through exploited
traffic.
Status
F5 Product Development has assigned ID 476461 (BIG-IP) and ID 476378 (ARX) to
this vulnerability, and has evaluated the currently supported releases for
potential vulnerability.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
Product Versions known Versions known to Vulnerable component
to be vulnerable be not vulnerable or feature
BIG-IP LTM None 11.0.0 - 11.6.0 None
10.0.0 - 10.2.4
BIG-IP AAM None 11.4.0 - 11.6.0 None
BIG-IP AFM None 11.3.0 - 11.6.0 None
BIG-IP None 11.0.0 - 11.6.0 None
BIG-IP APM 11.0.0 - 11.6.0 10.1.0 Authentication profiles,
10.1.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP ASM 11.0.0 - 11.6.0 10.0.0 - 10.1.0 Authentication profiles,
10.0.0 - 10.2.4 Configuration utility remote
authentication
BIG-IP Edge 11.2.1 - 11.3.0 11.0.0 - 11.2.0 WebSSO; Exchange Profile
Gateway 10.1.0 - 10.2.4
BIG-IP GTM None 11.0.0 - 11.6.0 None
10.0.0 - 10.2.4
BIG-IP Link None 11.0.0 - 11.6.0 None
Controller 10.0.0 - 10.2.4
BIG-IP PEM None 11.3.0 - 11.6.0 None
BIG-IP PSM None 11.0.0 - 11.4.1 None
10.0.0 - 10.2.4
BIG-IP None 11.0.0 - 11.3.0 None
WebAccelerator 10.0.0 - 10.2.4
BIG-IP WOM None 11.0.0 - 11.3.0 None
10.0.0 - 10.2.4
ARX 6.0.0 - 6.4.0 None Client authentication using Kerberos
Enterprise None 3.0.0 - 3.1.1 None
Manager 2.1.0 - 2.3.0
FirePass None 7.0.0 None
6.0.0 - 6.1.0
BIG-IQ Cloud None 4.0.0 - 4.3.0 None
BIG-IQ Device None 4.2.0 - 4.3.0 None
BIG-IQ None 4.0.0 - 4.3.0 None
Security
Recommended action
You can eliminate this vulnerability by running a version listed in the
Versions known to be not vulnerable column in the above tables. If the
Versions known to be not vulnerable column does not list a version that is
higher than the version you are running, then no upgrade candidate currently
exists.
BIG-IP APM
To mitigate this vulnerability on the BIG-IP APM system, you can configure the
Kerberos SSO Send Authorization configuration option to use any value except
Always (default). For information about configuring this option, refer to the
Kerberos Single Sign-On Method chapter of the BIG-IP Access Policy Manager
Single Sign-On Configuration Guide.
- -------------------------------------------------------------------------------
SOL15561: Kerberos vulnerability CVE-2014-4344
Security AdvisorySecurity Advisory
Original Publication Date: 09/04/2014
Description
The acc_ctx_cont function in the SPNEGO acceptor in
lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through
1.12.x before 1.12.2 allows remote attackers to cause a denial of service
(NULL pointer dereference and application crash) via an empty continuation
token at a certain point during a SPNEGO negotiation. (CVE-2014-4344)
Impact
An attacker may be able to cause a denial-of-service (DoS) to application that
uses the Kerberos authentication.
Status
F5 Product Development has assigned ID 476468 (BIG-IP) and ID 476378 (ARX) to
this vulnerability, and has evaluated the currently supported releases for
potential vulnerability.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
Product Versions known Versions known to Vulnerable component
to be vulnerable be not vulnerable or feature
BIG-IP LTM None 11.0.0 - 11.6.0 None
10.0.0 - 10.2.4
BIG-IP AAM None 11.4.0 - 11.6.0 None
BIG-IP AFM None 11.3.0 - 11.6.0 None
BIG-IP None 11.0.0 - 11.6.0 None
BIG-IP APM 11.0.0 - 11.6.0 None WebSSO; Exchange profile
10.1.0 - 10.2.4
BIG-IP ASM None 11.0.0 - 11.6.0 None
10.0.0 - 10.2.4
BIG-IP Edge 11.0.0 - 11.3.0 None WebSSO; Exchange Profile
Gateway 10.1.0 - 10.2.4
BIG-IP GTM None 11.0.0 - 11.6.0 None
10.0.0 - 10.2.4
BIG-IP Link None 11.0.0 - 11.6.0 None
Controller 10.0.0 - 10.2.4
BIG-IP PEM None 11.3.0 - 11.6.0 None
BIG-IP PSM None 11.0.0 - 11.4.1 None
10.0.0 - 10.2.4
BIG-IP None 11.0.0 - 11.3.0 None
WebAccelerator 10.0.0 - 10.2.4
BIG-IP WOM None 11.0.0 - 11.3.0 None
10.0.0 - 10.2.4
ARX 6.0.0 - 6.4.0 None Client authentication using Kerberos
Enterprise None 3.0.0 - 3.1.1 None
Manager 2.1.0 - 2.3.0
FirePass None 7.0.0 None
6.0.0 - 6.1.0
BIG-IQ Cloud None 4.0.0 - 4.3.0 None
BIG-IQ Device None 4.2.0 - 4.3.0 None
BIG-IQ None 4.0.0 - 4.3.0 None
Security
Recommended action
You can eliminate this vulnerability by running a version listed in the
Versions known to be not vulnerable column in the above tables. If the
Versions known to be not vulnerable column does not list a version that is
higher than the version you are running, then no upgrade candidate currently
exists.
BIG-IP APM
To mitigate this vulnerability on BIG-IP APM system, you can configure the
Kerberos SSO Send Authorization configuration option to use any value except
Always (default). For information about configuring this option, refer to the
Kerberos Single Sign-On Method chapter of the BIG-IP Access Policy Manager
Single Sign-On Configuration Guide
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVAlBwxLndAQH1ShLAQLQfw//Th2IKpxcRBb9QtV5NwYLkZJc4e1KvCP4
fQwS+nQlXNUPVwqVUUga43Ovamkell1L1W5yADNn75AxYQQjMrrKyeA+QyKbMnUr
F2WbufWXOzYggx1H8swN5BJp71TbR5wy8XUzllbVKSDtYaitfoOUPeIqyJvi+tgD
iBsByYdC7KhSZ472byu3RjmBjA2MoJZaoSxuXfcE/ZKulvJU2jwcGa81pvWt6KF6
Rudkwx0tAK1iPoFE/dhwR6IkQQnyscfFWd4CjTBmEz7A8oLOCEFMb7PNcUioyHr5
eH2eQDBp1caD0uAp9/aX6eYnl0NMGI43XU9W459+f1E511Hmolpv0V0Oy19D4eeY
xiODNgidkUm6Ts++XvDHo1OWjFK99/y4FMA1LLL6qN/GVlVq3St5FReB6Y+PRf/i
RxgcQlYVjQL8DnTYNOyf2AarmRkJEnZ8DhEtrYN/qEU3/VnOgHkc8pbNvi7towup
sCHOgTzztlK4qrtmx0+gxQ4P0QUQ06jtf1msk7goYfW03eVPYsjURp4H49dCeEna
cmxHp+XdWuf8A9O0YhFq97YYOKrx6yBay6YUaWv5npG2B84E13H6ukH0Hk7AMvGl
Jgdp+U4TkAaR9WjKW2EStJUG7COp37hsaskMKPhgceBAshfB8m1abpk4IJkPtHPq
t2OqMhwk7V4=
=lBZs
-----END PGP SIGNATURE-----