-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
A specifically crafted HTTP request may lead the BIG-IP system to pass
malformed HTTP requests to a target pool member webserver
(HTTP Desync Attack)
29 August 2019
AusCERT Security Bulletin Summary
Product: F5 BIG-IP products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Provide Misleading Information -- Remote/Unauthenticated
Comment: This is an HTTP request smuggling weakness with no current fix,
only mitigation steps.
- --------------------------BEGIN INCLUDED TEXT--------------------
K50375550: A specifically crafted HTTP request may lead the BIG-IP system to
pass malformed HTTP requests to a target pool member webserver (HTTP Desync Attack)
Original Publication Date: 29 Aug, 2019
Security Advisory Description
A specifically crafted HTTP request that contains Content-Length and
Transfer-Encoding headers may lead the BIG-IP system to pass malformed HTTP
requests to a target pool member webserver.
This issue occurs when the following condition is met:
o The malformed HTTP requests are processed by a virtual server configured
with an HTTP profile.
The specific scenario described by this Advisory occurs when, and only when:
o The client sends a series of specifically crafted, malformed HTTP requests
that do not conform to HTTP RFCs (for example, RFC7230, RFC2616 etc).
o The target pool member webserver also accepts and processes these requests,
despite their non-conformance to RFCs.
In this scenario, the vulnerable pool member webserver may interpret the stream
of requests differently to the BIG-IP system and may take unintended actions
based on the stream of requests.
The malformed HTTP requests may be passed to the pool member
webserver and, depending on the behavior of the pool member webserver, may
allow an HTTP Request Smuggling attack to take place against the pool member
webserver. Additionally, when the affected virtual server is configured with
the OneConnect profile, an attacker may be able to send specifically crafted
requests in a client-side TCP stream and impact the responses sent to a
legitimate client in another client-side TCP stream.
As a result of this issue, you may encounter one or more of the following
o Depending on the client requests and HTTP RFC compliance of the target pool
member webserver, the pool member webserver may interpret the client
requests differently and perform unintended actions.
o With OneConnect configured for the affected HTTP virtual server, a
legitimate client may experience effects of an HTTP Request Smuggling
Security Advisory Status
F5 Product Development has assigned ID 761185 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
|Type of fix |Fixes introduced in|Related articles|
|Release |None |None |
|Point release/hotfix|None |None |
Security Advisory Recommended Actions
Depending on your BIG-IP configuration and features available, you may consider
using one of the following mitigation methods:
o Modifying or disabling the OneConnect profile
o Blocking malformed HTTP requests using BIG-IP ASM / Advanced WAF
Modifying or disabling the OneConnect profile
If the affected virtual server is configured with the OneConnect profile, you
should consider adjusting the Source Prefix Length or Source Mask (11.x)
setting of the OneConnect profile to prevent aggregation of HTTP requests from
separate client-side TCP streams into the same server-side connection.
Alternatively, you may consider disabling OneConnect for specific connections
using an iRule or removing it entirely on the affected virtual server if your
application environment permits. For information about using an iRule to
disable OneConnect, refer to the ONECONNECT iRule command on DevCentral.
Impact of workaround: Depending on your application environment, adjusting the
value of the Source Prefix Length or Source Mask setting of the OneConnect
profile may impact optimal connection re-use, while disabling OneConnect may
impact performance. For additional information, refer to K7208: Overview of the
Performing these actions on the OneConnect profile prevents the HTTP requests
aggregation thus mitigating the risk of an attacker interacting with a
legitimate client; however it does not prevent the target pool member webserver
from being subjected to potential HTTP Request Smuggling attacks. As a
result, this may not be a complete mitigation and you may need to apply HTTP
RFC compliancy checks using BIG-IP ASM / Advanced WAF (AWAF) in addition to
Blocking malformed HTTP requests using BIG-IP ASM / Advanced WAF
If the affected BIG-IP system is licensed and provisioned with BIG-IP ASM /
AWAF, you should consider configuring an appropriate BIG-IP ASM / AWAF security
policy to block malformed HTTP requests. To do so, ensure that you have
configured the following for your BIG-IP ASM / AWAF security policy:
Impact of workaround: Performing the following procedure should not have a
negative impact on your system.
1. Ensure the HTTP protocol compliance failed violation is set to Block with
the following subviolations enabled:
Several Content-Length headers
Chunked request with Content-Length header
Unparsable request content
For more information about viewing and enabling these subviolations, refer
to K10280: Overview of BIG-IP ASM HTTP protocol compliance.
2. Ensure the following BIG-IP ASM / AWAF signatures are enabled:
HTTP Response Splitting (1)(Parameter), ID 200023001
HTTP Response Splitting (2)(Parameter), ID 200023002
HTTP Response Splitting (3)(Parameter), ID 200023003
HTTP Response Splitting (4)(Parameter), ID 200023004
Non-standard Transfer-Encoding header value, ID 200200002 (BIG-IP ASM
For information about working with attack signatures, refer to K12885:
Working with BIG-IP ASM attack signatures.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----