Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

          SOL82679059: BIG-IP APM SSO vulnerability CVE-2016-3686
                               11 April 2016


        AusCERT Security Bulletin Summary

Product:           F5 BIG-IP APM
                   F5 BIG-IP Edge Gateway
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-3686  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

SOL82679059: BIG-IP APM SSO vulnerability CVE-2016-3686

Security Advisory

Original Publication Date: 04/09/2016

Vulnerability Description

Cleartext SessionID is visible in URL query parameters under some conditions 
(CVE-2016-3686 - reserved)


There is a theoretical risk of unauthorized access allowing a security breach.

Security Issue Status

F5 Product Development has assigned ID 522878 (BIG-IP and Enterprise Manager)
to this vulnerability, and has evaluated the currently supported releases for
potential vulnerability.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 

Product 			Versions known to be vulnerable 	Versions known to be not vulnerable 	Severity 	Vulnerable component or feature

BIG-IP APM 			11.0.0 - 11.6.0 			12.0.0					Low 		SSO
									11.6.0 HF6
									10.1.0 - 10.2.4 

BIG-IP Edge Gateway 		11.0.0 - 11.3.0 			10.1.0 - 10.2.4 			Low 		SSO

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable 
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a 
non-vulnerable version, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severity values 
published in the previous table. The Severity values and other security 
vulnerability parameters are defined in SOL4602: Overview of the F5 security 
vulnerability response policy.

To mitigate this vulnerability, you can create and apply an iRule to the 
affected BIG-IP APM virtual server. To do so, perform the following procedure:

Impact of action: The impact of the suggested workaround depends on the 
specific environment. F5 recommends testing changes during a maintenance 
window, with consideration to the possible impact on your specific 

1. Log in to the Configuration utility.

2. Navigate to Local Traffic > iRules > Create.

3. In the Name box, type a name for the iRule.

For example:


4. In the Definition box, type the following text:


if { [HTTP::is_redirect] } {

log local0. "Redirect detected with Location header: [HTTP::header Location]"

set loc [HTTP::header Location]

if { $loc contains "F5SSO_SID" } {

# Using F5SSO_SID hashed value inside Location header

set F5_sid [string range $loc [expr {[string last "F5SSO_SID" $loc] + 10}] 
[string length $loc]]

log local0. "F5_sid: $F5_sid"

set shasid [URI::encode [b64encode [sha512 $F5_sid]]]

# we create one subtable to access the hash from the sessionid

table add -subtable "sha" $shasid $F5_sid indefinite indefinite

log local0. "adding sessionID $F5_sid to ssha subtable with value $shasid"

set newloc [string map [list $F5_sid $shasid] $loc]

log local0. "Location after obfuscation: $newloc"

HTTP::header replace Location $newloc

unset loc

unset newloc





log local0. "received [HTTP::method] [HTTP::host] [HTTP::uri]"

if { [HTTP::uri] contains "F5Networks-SSO-Resp" } {

# Switch F5SSO_SID value back from hash to real value

log local0. "[HTTP::uri] contains F5Networks-SSO-Resp"

set newuri2 [HTTP::uri]

set F5_hash_b64 [string range $newuri2 [expr {[string first "F5SSO_SID=" 
$newuri2] + [string length "F5SSO_SID="]} ] [string length $newuri2] ]

log local0. "F5SSO_SID value in base64 is: $F5_hash_b64"

set lookup_sid [table lookup -subtable "sha" $F5_hash_b64]

log local0. "lookup_sid is: $lookup_sid"

set newuri2 [string map [list $F5_hash_b64 $lookup_sid] [HTTP::uri]]

HTTP::uri $newuri2

log local0. "URI with SID: $newuri2"

unset newuri2

unset lookup_sid

unset F5_hash_b64


# route traffic to internal APM VS accordingly

if { [HTTP::host] == "www.primaryauth.com" } {

use virtual VS_internal_primaryauth

} elseif { [HTTP::host] == "www.site.com" } {

use virtual VS_internal_site1



5. Click Finished.

6. Click Virtual Servers.

7. Click the name of the virtual server that is affected by this issue.

8. Click the Resources tab.

9. In the iRules section, click Manage.

10. From the Available column, select the iRule you previously created.

11. Click the << button.

The iRule moves to the Enabled column.

12. Click Finished.

Supplemental Information

SOL9970: Subscribing to email notifications regarding F5 products

SOL9957: Creating a custom RSS feed to view new and updated documents

SOL4602: Overview of the F5 security vulnerability response policy

SOL4918: Overview of the F5 critical issue hotfix policy

SOL167: Downloading software and firmware from F5

SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)

SOL10025: Managing BIG-IP product hotfixes (10.x)

SOL9502: BIG-IP hotfix matrix

SOL15106: Managing BIG-IQ product hotfixes

SOL15113: BIG-IQ hotfix matrix

SOL10322: FirePass hotfix matrix

SOL12766: ARX hotfix matrix

SOL3430: Installing FirePass hotfixes

SOL6664: Obtaining and installing OPSWAT hotfixes

SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967