Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3083 F5 BIG-IP products: Tcl code injection security exposure 13 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Mitigation Original Bulletin: https://support.f5.com/csp/article/K15650046 Comment: F5 advises: "This is not a vulnerability in Tcl, or F5 products, but rather an issue relating to coding practices used when writing Tcl code." - --------------------------BEGIN INCLUDED TEXT-------------------- K15650046: Tcl code injection security exposure Original Publication Date: May 23, 2019 Updated Date: Jun 08, 2019 Applies to (see versions): * Product: BIG-IQ, BIG-IQ Centralized Management + 6.1.0, 6.0.1, 6.0.0, 5.4.0, 5.3.0, 5.2.0, 5.1.0, 5.0.0 * Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM, BIG-IP ASM, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP Link Controller, BIG-IP LTM, BIG-IP PEM, BIG-IP WebAccelerator, BIG-IP WOM + 14.1.0, 14.0.0, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2 * Product: Enterprise Manager + 3.1.1 * Product: F5 iWorkflow + 2.3.0 * Product: Traffix SDC + 5.1.0, 5.0.0 Security Advisory Description Certain coding practices may allow an attacker to inject arbitrary Tool Command Language (Tcl) commands, which could be executed in the security context of the target Tcl script. Impact The design of the Tcl language allows for substitutions in statements and commands and this feature of Tcl can allow injection attacks similar to those seen in SQL or shell scripting languages, where arbitrary user input is interpreted as code and executed. The best practice for Tcl scripting is to enclose all expressions, ensuring that they are not substituted or evaluated unexpectedly. An additional benefit of this practice is increased performance, as the expressions can be precompiled instead of re-evaluated dynamically at runtime. This topic is explained in detail in the following Tcl documentation: Note: These links take you to a resource outside of AskF5. The third party could remove the documents without our knowledge. * Double substitution * Brace your expr-essions * Static syntax analysis Note: This is not a vulnerability in Tcl, or F5 products, but rather an issue relating to coding practices used when writing Tcl code. Affected Tcl statements Tcl substitution and evaluation might happen recursively, so it is difficult to create a comprehensive list of all statements that might result in substitution. The following statements are known to include the evaluation of expressions or scripts and should always be protected: * after * catch * eval * expr * for * foreach * history * if * list * proc * regexp * regsub * set * string * match * switch * trace * uplevel * while Note: Tcl allows sub-scripts anywhere through the use of square brackets. These sub-scripts are executed directly as code and must be protected from unsafe input. F5-specific commands F5-specific commands (such as persist or HTTP::respond) do not directly trigger expression evaluation; F5-specific commands take simple arguments, which are not evaluated as expressions or scripts. Limitation of scope The implementation of Tcl within Traffic Management Microkernel (TMM) disallows a number of standard Tcl commands. This is intended to restrict the scope of potential impact due to a Tcl script, and these restrictions are, to our knowledge, enforced even for commands constructed through an injection attack. * K36322151: List of disabled Tcl commands for iRules (12.x - 14.x) * K15909: List of disabled Tcl commands for iRules (11.x) Security Advisory Status This is not a vulnerability in Tcl, or F5 products, but rather an issue relating to coding practices used when writing Tcl code. As with most programming or scripting languages, it is possible to write code in a way that may create vulnerabilities. This is not something F5 can prevent the user from doing, as the issue does not lend itself to deterministic nor heuristic detection that covers all possible cases. Security Advisory Recommended Actions The Tcl documentation previously cited provides more comprehensive recommendations. However, the simple answer is that expressions in Tcl should always be braced. Typically, this is as simple as enclosing the expression in curly braces ‘{}’: # Instead of this unbraced expression if $myVar eq "String" # Use braces to ensure the expression is evaluated without substitution if {$myVar eq "String"} F5 documents Tcl delimiters, including braces, in the DevCentral article: Getting Started with iRules: Delimiters. Note: F5 has already included detection for some of the common cases where double substitution may happen in iRules, and the BIG-IP system attempts to notify the administrator through system log files or at the command line when the configuration is saved, loaded, or validated, as documented in K57410758: Error Message: <irule_name>: warning: [use curly braces to avoid double substitution][<Part_of_ irule_in_question>]. Evaluate your Tcl scripts and make all changes you deem appropriate under this guidance. Acknowledgements F5 would like to thank Christoffer Jerkeby of F-Secure Sweden for working with F5 to highlight this issue. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVJJgGaOgq3Tt24GAQjFtA//YTlrhKHNZTlgQ5tD7sCz7lp3hrAt0PJJ hQksB5N6jm4OZLyoau3lB3G6mAYq4NRUsifaYQTxiOEp0FEJR+1elPeaW2CpT/7m SnAB7iHPxIRQRXtDXbgXuHPrqsYDwahIGFto4Lxc0+gCThF6KXKD2x8/onSWujkE 3bcPdUCvtrVrkCtQsfw86DFeEujzMTDAFGeFHo026uVDa6L2kXxPBgFQlbKqoBRM JwuQ2pQc+DLrmbxa3kQjLYW3yuZ+xUW4obV9AB0ejv++KdZ+b2urKCVA341cmZb9 PUM0qWfZaQuTAGjQArH/LJnFsG1SK7Vt5A1fqn4adUJNfpTzhV5Pjejp6OMaPLe0 4UKg7UNs2Q7Ks3OFIIaF8nYOQ/i9nfbo3k/FW4HT15v/0NWQ+AohWweoo8uwoXCz GYTXiC0BcxGJqNq4asnjZRpr26Z36sURJaGMQmsDkQj1jfuJ53Ya6sSf5bABEHk5 YRhVL6FClhRPXyXgb9S+RKIkUmv4yRR2tzWfomZdzgcyFIPpCKWLX9Kbxr2+PHSM 07vNrHxV0u3LLefdFPpFqdKKYIZvIh+KmhrxtfeH920AvoJJ49S3XJcQ0dZvrtQN uXrVSwjEaSwK9osGKBvcLakmJ+UiFbuWNczoDBLGogodLypNxmmc9N3QCy9ogk7g IorgeQLw1bU= =ezjC -----END PGP SIGNATURE-----