Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3083
F5 BIG-IP products: Tcl code injection security exposure
13 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Mitigation
Original Bulletin:
https://support.f5.com/csp/article/K15650046
Comment: F5 advises: "This is not a vulnerability in Tcl, or F5 products,
but rather an issue relating to coding practices used when
writing Tcl code."
- --------------------------BEGIN INCLUDED TEXT--------------------
K15650046: Tcl code injection security exposure
Original Publication Date: May 23, 2019
Updated Date: Jun 08, 2019
Applies to (see versions):
* Product: BIG-IQ, BIG-IQ Centralized Management
+ 6.1.0, 6.0.1, 6.0.0, 5.4.0, 5.3.0, 5.2.0, 5.1.0, 5.0.0
* Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM,
BIG-IP ASM, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP
Link Controller, BIG-IP LTM, BIG-IP PEM, BIG-IP WebAccelerator, BIG-IP WOM
+ 14.1.0, 14.0.0, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.4, 12.1.3, 12.1.2,
12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7,
11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2
* Product: Enterprise Manager
+ 3.1.1
* Product: F5 iWorkflow
+ 2.3.0
* Product: Traffix SDC
+ 5.1.0, 5.0.0
Security Advisory Description
Certain coding practices may allow an attacker to inject arbitrary Tool Command
Language (Tcl) commands, which could be executed in the security context of the
target Tcl script.
Impact
The design of the Tcl language allows for substitutions in statements and
commands and this feature of Tcl can allow injection attacks similar to those
seen in SQL or shell scripting languages, where arbitrary user input is
interpreted as code and executed.
The best practice for Tcl scripting is to enclose all expressions, ensuring
that they are not substituted or evaluated unexpectedly. An additional benefit
of this practice is increased performance, as the expressions can be
precompiled instead of re-evaluated dynamically at runtime.
This topic is explained in detail in the following Tcl documentation:
Note: These links take you to a resource outside of AskF5. The third party
could remove the documents without our knowledge.
* Double substitution
* Brace your expr-essions
* Static syntax analysis
Note: This is not a vulnerability in Tcl, or F5 products, but rather an issue
relating to coding practices used when writing Tcl code.
Affected Tcl statements
Tcl substitution and evaluation might happen recursively, so it is difficult to
create a comprehensive list of all statements that might result in
substitution. The following statements are known to include the evaluation of
expressions or scripts and should always be protected:
* after
* catch
* eval
* expr
* for
* foreach
* history
* if
* list
* proc
* regexp
* regsub
* set
* string
* match
* switch
* trace
* uplevel
* while
Note: Tcl allows sub-scripts anywhere through the use of square brackets. These
sub-scripts are executed directly as code and must be protected from unsafe
input.
F5-specific commands
F5-specific commands (such as persist or HTTP::respond) do not directly trigger
expression evaluation; F5-specific commands take simple arguments, which are
not evaluated as expressions or scripts.
Limitation of scope
The implementation of Tcl within Traffic Management Microkernel (TMM) disallows
a number of standard Tcl commands. This is intended to restrict the scope of
potential impact due to a Tcl script, and these restrictions are, to our
knowledge, enforced even for commands constructed through an injection attack.
* K36322151: List of disabled Tcl commands for iRules (12.x - 14.x)
* K15909: List of disabled Tcl commands for iRules (11.x)
Security Advisory Status
This is not a vulnerability in Tcl, or F5 products, but rather an issue
relating to coding practices used when writing Tcl code. As with most
programming or scripting languages, it is possible to write code in a way that
may create vulnerabilities. This is not something F5 can prevent the user from
doing, as the issue does not lend itself to deterministic nor heuristic
detection that covers all possible cases.
Security Advisory Recommended Actions
The Tcl documentation previously cited provides more comprehensive
recommendations. However, the simple answer is that expressions in Tcl should
always be braced. Typically, this is as simple as enclosing the expression in
curly braces ‘{}’:
# Instead of this unbraced expression
if $myVar eq "String"
# Use braces to ensure the expression is evaluated without substitution
if {$myVar eq "String"}
F5 documents Tcl delimiters, including braces, in the DevCentral article:
Getting Started with iRules: Delimiters.
Note: F5 has already included detection for some of the common cases where
double substitution may happen in iRules, and the BIG-IP system attempts to
notify the administrator through system log files or at the command line when
the configuration is saved, loaded, or validated, as documented in K57410758:
Error Message: <irule_name>: warning: [use curly braces to avoid double
substitution][<Part_of_ irule_in_question>].
Evaluate your Tcl scripts and make all changes you deem appropriate under this
guidance.
Acknowledgements
F5 would like to thank Christoffer Jerkeby of F-Secure Sweden for working with
F5 to highlight this issue.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVJJgGaOgq3Tt24GAQjFtA//YTlrhKHNZTlgQ5tD7sCz7lp3hrAt0PJJ
hQksB5N6jm4OZLyoau3lB3G6mAYq4NRUsifaYQTxiOEp0FEJR+1elPeaW2CpT/7m
SnAB7iHPxIRQRXtDXbgXuHPrqsYDwahIGFto4Lxc0+gCThF6KXKD2x8/onSWujkE
3bcPdUCvtrVrkCtQsfw86DFeEujzMTDAFGeFHo026uVDa6L2kXxPBgFQlbKqoBRM
JwuQ2pQc+DLrmbxa3kQjLYW3yuZ+xUW4obV9AB0ejv++KdZ+b2urKCVA341cmZb9
PUM0qWfZaQuTAGjQArH/LJnFsG1SK7Vt5A1fqn4adUJNfpTzhV5Pjejp6OMaPLe0
4UKg7UNs2Q7Ks3OFIIaF8nYOQ/i9nfbo3k/FW4HT15v/0NWQ+AohWweoo8uwoXCz
GYTXiC0BcxGJqNq4asnjZRpr26Z36sURJaGMQmsDkQj1jfuJ53Ya6sSf5bABEHk5
YRhVL6FClhRPXyXgb9S+RKIkUmv4yRR2tzWfomZdzgcyFIPpCKWLX9Kbxr2+PHSM
07vNrHxV0u3LLefdFPpFqdKKYIZvIh+KmhrxtfeH920AvoJJ49S3XJcQ0dZvrtQN
uXrVSwjEaSwK9osGKBvcLakmJ+UiFbuWNczoDBLGogodLypNxmmc9N3QCy9ogk7g
IorgeQLw1bU=
=ezjC
-----END PGP SIGNATURE-----