Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2719
K02692210: BIG-IP virtual server with HTTP Explicit Proxy
and/or SOCKS vulnerability CVE-2017-6157
27 October 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 BIG-IP products
Publisher: F5 Networks
Operating System: Network Appliance
Virtualisation
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-6157
Original Bulletin:
https://support.f5.com/csp/article/K02692210
- --------------------------BEGIN INCLUDED TEXT--------------------
K02692210: BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS
vulnerability CVE-2017-6157
Security Advisory
Original Publication Date: Oct 27, 2017
Applies to (see versions):
o Product: BIG-IQ, BIG-IQ Cloud, BIG-IQ Device, BIG-IQ Security, BIG-IQ ADC,
BIG-IQ Centralized Management
- 5.3.0, 5.2.0, 5.1.0, 5.0.0, 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0,
4.0.0
o Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM,
BIG-IP ASM, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP GTM, BIG-IP Link
Controller, BIG-IP LTM, BIG-IP PEM, BIG-IP PSM, BIG-IP WebAccelerator
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o Product: Enterprise Manager
- 3.1.1
o Product: F5 iWorkflow
- 2.3.0, 2.2.0, 2.1.0, 2.0.2, 2.0.1, 2.0.0
o Product: LineRate
- 2.6.1, 2.6.0, 2.5.2, 2.5.1, 2.5.0
o Product: ARX, ARX
- 6.4.0, 6.3.0, 6.2.0
o Product: F5 WebSafe
- 1.0.0
o Product: Traffix SDC
- 5.1.0, 4.4.0, 4.0.5, 4.0.2, 4.0.0
o Product: BIG-IQ Cloud and Orchestration
- 1.0.0
Security Advisory Description
BIG-IP virtual servers with a configuration using the HTTP Explicit Proxy
functionality and/or SOCKS profile are vulnerable to an unauthenticated, remote
attack that allows modification of BIG-IP system configuration, extraction of
sensitive system files, and/or possible remote command execution on the BIG-IP
system. (CVE-2017-6157)
Note: This vulnerability covers the scenarios that were not addressed in
K35520031: BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS
vulnerability CVE-2016-5700.
F5 Technical Support has no additional information about this issue.
Impact
When this vulnerability is successfully exploited, a remote attacker may be
able to modify the system configuration or extract sensitive system files.
Security Advisory Status
F5 Product Development has assigned ID 614097 and 614147 (BIG-IP) to this
vulnerability.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
+--------------+-----------+-------------+----------+-------------------------+
| |Versions |Versions | | |
|Product |known to be|known to be |Severity |Vulnerable component or |
| |vulnerable |not | |feature |
| | |vulnerable | | |
+--------------+-----------+-------------+----------+-------------------------+
| |12.0.0 - |13.0.0 | | |
| |12.1.1 |12.1.2 | |Virtual server with HTTP |
|BIG-IP LTM |11.6.0 - |11.6.2 |Medium |Explicit Proxy and/or a |
| |11.6.1 |11.5.5 | |SOCKS profile enabled |
| |11.5.0 - |11.4.1 | | |
| |11.5.4 |11.2.1 | | |
+--------------+-----------+-------------+----------+-------------------------+
| |12.0.0 - |13.0.0 | | |
| |12.1.1 |12.1.2 | |Virtual server with HTTP |
|BIG-IP AAM |11.6.0 - |11.6.2 |Medium |Explicit Proxy and/or a |
| |11.6.1 |11.5.5 | |SOCKS profile enabled |
| |11.5.0 - |11.4.1 | | |
| |11.5.4 | | | |
+--------------+-----------+-------------+----------+-------------------------+
| |12.0.0 - |13.0.0 | | |
| |12.1.1 |12.1.2 | |Virtual server with HTTP |
|BIG-IP AFM |11.6.0 - |11.6.2 |Medium |Explicit Proxy and/or a |
| |11.6.1 |11.5.5 | |SOCKS profile enabled |
| |11.5.0 - |11.4.1 | | |
| |11.5.4 | | | |
+--------------+-----------+-------------+----------+-------------------------+
| | |13.0.0 | | |
| | |12.0.0 - | | |
|BIG-IP |None |12.1.2 |Not |None |
|Analytics | |11.4.1 - |vulnerable| |
| | |11.6.2 | | |
| | |11.2.1 | | |
+--------------+-----------+-------------+----------+-------------------------+
| |12.0.0 - |13.0.0 | | |
| |12.1.1 |12.1.2 | |Virtual server with HTTP |
|BIG-IP APM |11.6.0 - |11.6.2 |Medium |Explicit Proxy and/or a |
| |11.6.1 |11.5.5 | |SOCKS profile enabled |
| |11.5.0 - |11.4.1 | | |
| |11.5.4 |11.2.1 | | |
+--------------+-----------+-------------+----------+-------------------------+
| |12.0.0 - |13.0.0 | | |
| |12.1.1 |12.1.2 | |Virtual server with HTTP |
|BIG-IP ASM |11.6.0 - |11.6.2 |Medium |Explicit Proxy and/or a |
| |11.6.1 |11.5.5 | |SOCKS profile enabled |
| |11.5.0 - |11.4.1 | | |
| |11.5.4 |11.2.1 | | |
+--------------+-----------+-------------+----------+-------------------------+
| | |13.0.0 |Not | |
|BIG-IP DNS |None |12.0.0 - |vulnerable|None |
| | |12.1.2 | | |
+--------------+-----------+-------------+----------+-------------------------+
|BIG-IP Edge |None |11.2.1 |Not |None |
|Gateway | | |vulnerable| |
+--------------+-----------+-------------+----------+-------------------------+
| | |11.4.1 - |Not | |
|BIG-IP GTM |None |11.6.2 |vulnerable|None |
| | |11.2.1 | | |
+--------------+-----------+-------------+----------+-------------------------+
| |12.0.0 - |13.0.0 | | |
| |12.1.1 |12.1.2 | |Virtual server with HTTP |
|BIG-IP Link |11.6.0 - |11.6.2 |Medium |Explicit Proxy and/or a |
|Controller |11.6.1 |11.5.5 | |SOCKS profile enabled |
| |11.5.0 - |11.4.1 | | |
| |11.5.4 |11.2.1 | | |
+--------------+-----------+-------------+----------+-------------------------+
| |12.0.0 - |13.0.0 | | |
| |12.1.1 |12.1.2 | |Virtual server with HTTP |
|BIG-IP PEM |11.6.0 - |11.6.2 |Medium |Explicit Proxy and/or a |
| |11.6.1 |11.5.5 | |SOCKS profile enabled |
| |11.5.0 - |11.4.1 | | |
| |11.5.4 | | | |
+--------------+-----------+-------------+----------+-------------------------+
|BIG-IP PSM |None |11.4.1 |Not |None |
| | | |vulnerable| |
+--------------+-----------+-------------+----------+-------------------------+
|BIG-IP |None |11.2.1 |Not |None |
|WebAccelerator| | |vulnerable| |
+--------------+-----------+-------------+----------+-------------------------+
| |12.0.0 - |13.0.0 | |Virtual server with HTTP |
|BIG-IP WebSafe|12.1.1 |12.1.2 |Medium |Explicit Proxy and/or a |
| |11.6.0 - |11.6.2 | |SOCKS profile enabled |
| |11.6.1 | | | |
+--------------+-----------+-------------+----------+-------------------------+
|ARX |None |6.2.0 - 6.4.0|Not |None |
| | | |vulnerable| |
+--------------+-----------+-------------+----------+-------------------------+
|Enterprise |None |3.1.1 |Not |None |
|Manager | | |vulnerable| |
+--------------+-----------+-------------+----------+-------------------------+
|BIG-IQ Cloud |None |4.0.0 - 4.5.0|Not |None |
| | | |vulnerable| |
+--------------+-----------+-------------+----------+-------------------------+
|BIG-IQ Device |None |4.2.0 - 4.5.0|Not |None |
| | | |vulnerable| |
+--------------+-----------+-------------+----------+-------------------------+
|BIG-IQ |None |4.0.0 - 4.5.0|Not |None |
|Security | | |vulnerable| |
+--------------+-----------+-------------+----------+-------------------------+
|BIG-IQ ADC |None |4.5.0 |Not |None |
| | | |vulnerable| |
+--------------+-----------+-------------+----------+-------------------------+
|BIG-IQ | |5.0.0 - 5.3.0|Not | |
|Centralized |None |4.6.0 |vulnerable|None |
|Management | | | | |
+--------------+-----------+-------------+----------+-------------------------+
|BIG-IQ Cloud | | |Not | |
|and |None |1.0.0 |vulnerable|None |
|Orchestration | | | | |
+--------------+-----------+-------------+----------+-------------------------+
|F5 iWorkflow |None |2.0.0 - 2.3.0|Not |None |
| | | |vulnerable| |
+--------------+-----------+-------------+----------+-------------------------+
|LineRate |None |2.5.0 - 2.6.1|Not |None |
| | | |vulnerable| |
+--------------+-----------+-------------+----------+-------------------------+
|Traffix SDC |None |5.0.0 - 5.1.0|Not |None |
| | |4.0.0 - 4.4.0|vulnerable| |
+--------------+-----------+-------------+----------+-------------------------+
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.
Only virtual servers with configurations using the HTTP Explicit Proxy
functionality and/or SOCKS profile are vulnerable. The HTTP Explicit Proxy
functionality is enabled when an HTTP profile associated with a virtual server
has the Proxy Mode setting configured with the Explicit value. In the following
HTTP profile configuration snippet example, an HTTP profile is configured with
the Explicit Proxy functionality:
ltm profile http /Common/My_HTTP_explicit_profile {
app-service none
defaults-from /Common/http-explicit
explicit-proxy {
default-connect-handling allow
dns-resolver /Common/My_DNS_resolver
}
proxy-type explicit
}
The following profile configuration snippet example shows a typical SOCKS
profile:
ltm profile socks My_SOCKS_profile {
app-service none
defaults-from socks
dns-resolver My_DNS_resolver
}
To determine if your BIG-IP system has a virtual server configuration using the
HTTP Explicit Proxy functionality and/or SOCKS profile, perform the following
procedures:
o Determining the HTTP profiles configured with the Explicit Proxy
functionality
o Determining the SOCKS profiles configured on the system
o Determining the virtual servers that are enabled with the HTTP Explicit
Proxy functionality and/or SOCKS profile
Determining the HTTP profiles configured with the Explicit Proxy functionality
Impact of action: Performing the following procedure should not have a negative
impact on your system.
1. Log in to the TMOS Shell (tmsh) by typing the following command:
tmsh
2. List the HTTP profiles that are configured with the Explicit Proxy
functionality by typing the following command:
list ltm profile http proxy-type | grep -B 1 explicit
3. Note the names of the HTTP profiles. You will use the noted profile names
to determine which virtual server is enabled with the HTTP Explicit Proxy
functionality in the final procedure.
Determining the SOCKS profiles configured on the system
Impact of action: Performing the following procedure should not have a negative
impact on your system.
1. Log in to tmsh by typing the following command:
tmsh
2. List the SOCKS profile configured on your BIG-IP system by typing the
following command:
list ltm profile socks
3. Note the names of the configured SOCKS profiles. You will use the profile
names to determine which virtual server is enabled with the SOCKS profile
in the final procedure.
Determining the virtual servers that are enabled with the HTTP Explicit Proxy
functionality and/or SOCKS profile
Impact of action: Performing the following procedure should not have a negative
impact on your system.
1. Log in to tmsh by typing the following command:
tmsh
2. Using the profile names obtained from the previous procedures, determine
the virtual servers that are enabled with the HTTP Explicit Proxy
functionality and/or SOCKS profile by using the following command syntax:
list ltm virtual all profiles | grep -B 2 <profile name>
For example, you would type the following command to determine which
virtual server is using the My_HTTP_explicit_profile profile:
list ltm virtual all profiles | grep -B 2 My_HTTP_explicit_profile
3. Repeat step 2 for the remaining profile names obtained from previous
procedures.
Mitigation
None
Supplemental Information
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K167: Downloading software and firmware from F5
o K13123: Managing BIG-IP product hotfixes (11.x - 13.x)
o K9502: BIG-IP hotfix matrix
Applies to (see versions):
o ARX:
- 6.4.0, 6.3.0, 6.2.0
o BIG-IP AAM:
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o BIG-IP AFM:
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o BIG-IP APM:
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o BIG-IP ASM:
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o BIG-IP Analytics:
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o BIG-IP DNS:
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o BIG-IP Edge Gateway:
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o BIG-IP GTM:
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o BIG-IP LTM:
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o BIG-IP Link Controller:
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o BIG-IP PEM:
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o BIG-IP PSM:
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o BIG-IP WebAccelerator:
- 13.0.0, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5,
11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.2.1
o BIG-IQ ADC:
- 5.3.0, 5.2.0, 5.1.0, 5.0.0, 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0,
4.0.0
o BIG-IQ Centralized Management:
- 5.3.0, 5.2.0, 5.1.0, 5.0.0, 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0,
4.0.0
o BIG-IQ Cloud:
- 5.3.0, 5.2.0, 5.1.0, 5.0.0, 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0,
4.0.0
o BIG-IQ Cloud and Orchestration:
- 1.0.0
o BIG-IQ Device:
- 5.3.0, 5.2.0, 5.1.0, 5.0.0, 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0,
4.0.0
o BIG-IQ Security:
- 5.3.0, 5.2.0, 5.1.0, 5.0.0, 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0,
4.0.0
o Enterprise Manager:
- 3.1.1
o F5 WebSafe:
- 1.0.0
o F5 iWorkflow:
- 2.0.0, 2.1.0, 2.0.1, 2.2.0, 2.0.2, 2.3.0
o LineRate:
- 2.6.0, 2.5.1, 2.6.1, 2.5.2, 2.5.0
o Traffix SDC:
- 4.0.2, 5.1.0, 4.0.0, 4.4.0, 4.0.5
(C) Copyright 2017 by F5 Networks, Inc. | Policies | Trademarks rev:1.0.907.4131
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWfKZTYx+lLeg9Ub1AQgDpw//VXHw5UNnNOIJiJ1C3qzPlHhADVNU6m5A
KQMyr3Spj0n/mT0GSldRNMbDCucUFyqhcCl9Q+LNB08DOlJNIEruqIvoiQ9bL93F
TKpzUWbDlnKm+9c45hTGEwVpVk8sWCYBg4K9YnDWClpotccCBY6bOrxCfPssfep/
Jwts5+Lu1ExCkmc6vFcXAeNdvZxUCx9+zMmuUMqDxuNhZX5VVMlsbP6EegxbUwHj
TvFxX6GS42KT0Vx2SK7Yy+NaveYPDIVZXXHIMnvHHUEF5EBwM5F3BYopmXk/fZzt
Fji3BIqAcPD5KOuJ/ahYYWWbJW90HxtL/M5rIU4X5CovZo/LUYNaBLvyX0Bbpn++
3c+arWb+aRT6DdgNnm1eru2UtCUhgn3QLyTRTuug+cpyV9KbrUscVb3aVjrmVy7s
kF6eJEi/rA8J1xasnxyaTsAWg4grsxTAHWES5tVIYPUm4nPy/CpKLU16gfvSaLMW
9HQaEaxRQKiJYr7GDKI2sPbwBfL4Np01rdwlXuDb8yyXrVwYPf40zxtyirD/bMuu
1y2aZfzyOAtBTMjqNBBx15v8c1zGEyVWrbD2wl+ZAF18eOvcZaCagivjOzSh4UiM
lqrar6IKDiuaM9ruMUfKwF1O4liZ5r3FQVeiQ5D4PP9UNQ7OMyLUZPslqKkJNDbN
bNo50MiglIY=
=2+W7
-----END PGP SIGNATURE-----