Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

         F5 BIG-IP products: Tcl code injection security exposure
                              13 August 2019


        AusCERT Security Bulletin Summary

Product:           BIG-IP products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Mitigation

Original Bulletin: 

Comment: F5 advises: "This is not a vulnerability in Tcl, or F5 products,
         but rather an issue relating to coding practices used when
         writing Tcl code."

- --------------------------BEGIN INCLUDED TEXT--------------------

K15650046: Tcl code injection security exposure

Original Publication Date: May 23, 2019
Updated Date: Jun 08, 2019

Applies to (see versions):

  * Product: BIG-IQ, BIG-IQ Centralized Management
      + 6.1.0, 6.0.1, 6.0.0, 5.4.0, 5.3.0, 5.2.0, 5.1.0, 5.0.0
  * Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM,
    Link Controller, BIG-IP LTM, BIG-IP PEM, BIG-IP WebAccelerator, BIG-IP WOM
      + 14.1.0, 14.0.0, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.4, 12.1.3, 12.1.2,
        12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7,
        11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2
  * Product: Enterprise Manager
      + 3.1.1
  * Product: F5 iWorkflow
      + 2.3.0
  * Product: Traffix SDC
      + 5.1.0, 5.0.0

Security Advisory Description

Certain coding practices may allow an attacker to inject arbitrary Tool Command
Language (Tcl) commands, which could be executed in the security context of the
target Tcl script.


The design of the Tcl language allows for substitutions in statements and
commands and this feature of Tcl can allow injection attacks similar to those
seen in SQL or shell scripting languages, where arbitrary user input is
interpreted as code and executed.

The best practice for Tcl scripting is to enclose all expressions, ensuring
that they are not substituted or evaluated unexpectedly. An additional benefit
of this practice is increased performance, as the expressions can be
precompiled instead of re-evaluated dynamically at runtime.

This topic is explained in detail in the following Tcl documentation:

Note: These links take you to a resource outside of AskF5. The third party
could remove the documents without our knowledge.

  * Double substitution
  * Brace your expr-essions
  * Static syntax analysis

Note: This is not a vulnerability in Tcl, or F5 products, but rather an issue
relating to coding practices used when writing Tcl code.

Affected Tcl statements

Tcl substitution and evaluation might happen recursively, so it is difficult to
create a comprehensive list of all statements that might result in
substitution. The following statements are known to include the evaluation of
expressions or scripts and should always be protected:

  * after
  * catch
  * eval
  * expr
  * for
  * foreach
  * history
  * if
  * list
  * proc
  * regexp
  * regsub
  * set
  * string
  * match
  * switch
  * trace
  * uplevel
  * while

Note: Tcl allows sub-scripts anywhere through the use of square brackets. These
sub-scripts are executed directly as code and must be protected from unsafe

F5-specific commands

F5-specific commands (such as persist or HTTP::respond) do not directly trigger
expression evaluation; F5-specific commands take simple arguments, which are
not evaluated as expressions or scripts.

Limitation of scope

The implementation of Tcl within Traffic Management Microkernel (TMM) disallows
a number of standard Tcl commands. This is intended to restrict the scope of
potential impact due to a Tcl script, and these restrictions are, to our
knowledge, enforced even for commands constructed through an injection attack.

  * K36322151: List of disabled Tcl commands for iRules (12.x - 14.x) 
  * K15909: List of disabled Tcl commands for iRules (11.x)

Security Advisory Status

This is not a vulnerability in Tcl, or F5 products, but rather an issue
relating to coding practices used when writing Tcl code. As with most
programming or scripting languages, it is possible to write code in a way that
may create vulnerabilities. This is not something F5 can prevent the user from
doing, as the issue does not lend itself to deterministic nor heuristic
detection that covers all possible cases.

Security Advisory Recommended Actions

The Tcl documentation previously cited provides more comprehensive
recommendations. However, the simple answer is that expressions in Tcl should
always be braced. Typically, this is as simple as enclosing the expression in
curly braces ‘{}’:

# Instead of this unbraced expression
if $myVar eq "String"

# Use braces to ensure the expression is evaluated without substitution
if {$myVar eq "String"}

F5 documents Tcl delimiters, including braces, in the DevCentral article:
Getting Started with iRules: Delimiters.

Note: F5 has already included detection for some of the common cases where
double substitution may happen in iRules, and the BIG-IP system attempts to
notify the administrator through system log files or at the command line when
the configuration is saved, loaded, or validated, as documented in K57410758:
Error Message: <irule_name>: warning: [use curly braces to avoid double
substitution][<Part_of_ irule_in_question>].

Evaluate your Tcl scripts and make all changes you deem appropriate under this


F5 would like to thank Christoffer Jerkeby of F-Secure Sweden for working with
F5 to highlight this issue.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967