-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4496
                   Security fixes for F5 BIG-IP products
                             27 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service              -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
                   Unauthorised Access            -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-6673 CVE-2019-6672 CVE-2019-6671
                   CVE-2019-6669 CVE-2019-6667 CVE-2019-6666
                   CVE-2019-6665  

Original Bulletin: 
   https://support.f5.com/csp/article/K82781208
   https://support.f5.com/csp/article/K79240502
   https://support.f5.com/csp/article/K92411323
   https://support.f5.com/csp/article/K26462555
   https://support.f5.com/csp/article/K39794285
   https://support.f5.com/csp/article/K14703097
   https://support.f5.com/csp/article/K11447758
   https://support.f5.com/csp/article/K39225055
   https://support.f5.com/csp/article/K24241590
   https://support.f5.com/csp/article/K81557381

Comment: This bulletin contains ten (10) F5 Networks security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

K82781208: BIG-IP FIX profile security advisory vulnerability CVE-2019-6667

Original Publication Date: 27 Nov, 2019

Security Advisory Description

Under certain conditions, the Traffic Management Microkernel (TMM) may consume
excessive resources when processing traffic for a virtual server with the FIX
(Financial Information eXchange) profile applied. (CVE-2019-6667)

Impact

This vulnerability may result in a denial-of-service (DOS) attack on the
affected BIG-IP system due to resource exhaustion. The affected BIG-IP system
temporarily will fail to process traffic as it recovers from a Traffic
Management Microkernel (TMM) restart, and devices configured in a device group
may fail over.

Security Advisory Status

F5 Product Development has assigned ID 758065 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score |gcomponent |
|                   |      |be        |in        |          |      |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |15.0.1.1  |          |      |          |
|                   |      |15.0.1    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IP (LTM, AAM,  |14.x  |14.1.0    |14.1.0.6  |          |      |          |
|AFM, Analytics,    |      |14.0.0    |14.0.0.5  |          |      |          |
|APM, ASM, DNS, Edge+------+----------+----------+          |      |          |
|Gateway, FPS, GTM, |13.x  |13.0.0 -  |13.1.3    |High      |7.5   |FIX       |
|Link Controller,   |      |13.1.1    |          |          |      |profile   |
|PEM,               +------+----------+----------+          |      |          |
|WebAccelerator)    |12.x  |12.1.0 -  |12.1.5    |          |      |          |
|                   |      |12.1.4    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |11.5.1 -  |11.6.5.1  |          |      |          |
|                   |      |11.6.5    |          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Enterprise Manager |3.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |6.x   |None      |Not       |          |      |          |
|BIG-IQ Centralized |      |          |applicable|Not       |      |          |
|Management         +------+----------+----------+vulnerable|None  |None      |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|F5 iWorkflow       |2.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|Not       |      |          |
|Traffix SDC        +------+----------+----------+vulnerable|None  |None      |
|                   |4.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

- --------------------------------------------------------------------------------

K79240502: BIG-IP ASM Bot Detection DNS cache does not expire security exposure

Original Publication Date: 27 Nov, 2019

Security Advisory Description

When BIG-IP ASM Bot Detection is configured, the BIG-IP ASM system performs a
reverse DNS lookup to determine if bot traffic classified as legitimate is, in
fact, from those services (for example, Google). These DNS responses are cached
indefinitely (until the Traffic Management Microkernel [TMM] or unit is
restarted) and do not expire. Therefore, if a malicious entity is able to
inject an invalid DNS response back to the BIG-IP system before the legitimate
DNS server responds, or the legitimate DNS response is corrupted in flight, the
invalid record will be cached indefinitely.

This issue occurs when all of the following conditions are met:

  o BIG-IP ASM Bot Detection is configured.
  o The BIG-IP ASM is configured to use an untrusted DNS resolver.
  o The BIG-IP ASM security policy is processing traffic.

Impact

If a malicious actor is able to inject invalid DNS responses, bots that would
normally be classified as legitimate may be classified as malicious, causing
Bot Detection to take action per the policy configuration against traffic that
would otherwise be allowed.

Symptoms

As a result of this issue, you may encounter one or more of the following
symptoms:

  o Invalid DNS responses are indefinitely cached by the BIG-IP ASM system.
  o Bots normally classified as legitimate may be classified as malicious.

Security Advisory Status

F5 Product Development has assigned ID 761231 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+------------------+-----------------+----------------------------------------+
|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
+------------------+-----------------+----------------------------------------+
|Release           |13.1.3           |K2200: Most recent versions of F5       |
|                  |12.1.5           |software                                |
+------------------+-----------------+----------------------------------------+
|Point release/    |15.0.1.1         |K9502: BIG-IP hotfix and point release  |
|hotfix            |14.1.0.6         |matrix                                  |
|                  |14.0.0.5         |                                        |
+------------------+-----------------+----------------------------------------+

Security Advisory Recommended Actions

Mitigation

On fixed versions, cached DNS responses now expire and a malicious actor would
need to continually inject invalid responses to maintain disruption. The
default expiry time across all versions is 300 seconds. The expire time is
fixed and cannot be modified.

F5 recommends, as a best practice, that you use a trusted DNS server for
lookups (for example, one hosted within your own secure infrastructure) and
that you make queries only across a trusted, controlled network. Following this
practice will effectively mitigate the risk of a bad actor being able to inject
malicious DNS responses between the BIG-IP ASM system and the configured DNS
server.

- --------------------------------------------------------------------------------

K92411323: BIG-IP AAM vulnerability CVE-2019-6666

Original Publication Date: 27 Nov, 2019

Security Advisory Description

The TMM process may produce a core file when an upstream server or cache sends
the BIG-IP system an invalid age header value. (CVE-2019-6666)

Impact

The BIG-IP system temporarily fails to process traffic as it recovers from a
Traffic Management Microkernel (TMM) restart, and devices configured in a
device group may fail over.

Security Advisory Status

F5 Product Development has assigned ID 753975 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score |gcomponent |
|                   |      |be        |in        |          |      |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |15.0.1.1  |          |      |          |
|                   |      |15.0.1    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IP (LTM, AAM,  |14.x  |14.1.0    |14.1.0.6  |          |      |          |
|AFM, Analytics,    |      |14.0.0    |14.0.0.5  |          |      |          |
|APM, ASM, DNS, Edge+------+----------+----------+          |      |          |
|Gateway, FPS, GTM, |13.x  |13.0.0 -  |13.1.1.5  |High      |7.5   |AAM Ram   |
|Link Controller,   |      |13.1.1    |          |          |      |Cache     |
|PEM,               +------+----------+----------+          |      |          |
|WebAccelerator)    |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Enterprise Manager |3.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |6.x   |None      |Not       |          |      |          |
|BIG-IQ Centralized |      |          |applicable|Not       |      |          |
|Management         +------+----------+----------+vulnerable|None  |None      |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|F5 iWorkflow       |2.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|Not       |      |          |
|Traffix SDC        +------+----------+----------+vulnerable|None  |None      |
|                   |4.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

- --------------------------------------------------------------------------------

K26462555:BIG-IP ASM and BIG-IQ/Enterprise Manager/F5 iWorkflow device authentication and trust vulnerability CVE-2019-6665

Original Publication Date: 27 Nov, 2019

Security Advisory Description

An attacker with access to the device communication between the BIG-IP ASM
Central Policy Builder and the BIG-IQ/Enterprise Manager/F5 iWorkflow will be
able to set up the proxy the same way and intercept the traffic. (CVE-2019-6665
)

Impact

BIG-IP ASM / BIG-IQ / Enterprise Manager / F5 iWorkflow

With access to the authentication token, the attacker will be able to
impersonate the BIG-IP ASM Central Policy Builder and send corrupted or
incorrect suggestion data to the BIG-IQ/Enterprise Manager/F5 iWorkflow. This
may lead to incorrect policy building suggestions or a partial
denial-of-service (DoS).

BIG-IP (LTM, AAM, AFM, Analytics, APM, DNS, Edge Gateway, GTM, Link Controller,
PEM, WebAccelerator, WebSafe) / Traffix SDC

There is no impact; these F5 products are not affected by this vulnerability.

Security Advisory Status

F5 Product Development has assigned ID 636400 (BIG-IP), ID 569250 (BIG-IQ), ID
693466 (Enterprise Manager), and ID 693474 (F5 iWorkflow) to this
vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table.

+---------------+------+----------+----------+----------+------+--------------+
|               |      |Versions  |Fixes     |          |CVSSv3|Vulnerable    |
|Product        |Branch|known to  |introduced|Severity  |score |gcomponent or  |
|               |      |be        |in        |          |      |feature       |
|               |      |vulnerable|          |          |      |              |
+---------------+------+----------+----------+----------+------+--------------+
|               |15.x  |15.0.0 -  |15.0.1.1  |          |      |              |
|               |      |15.0.1    |          |          |      |              |
|               +------+----------+----------+          |      |              |
|               |      |14.1.0 -  |          |          |      |              |
|               |14.x  |14.1.2    |14.1.2.1  |          |      |              |
|               |      |14.0.0 -  |14.0.1.1  |          |      |              |
|               |      |14.0.1    |          |          |      |Device        |
|BIG-IP ASM     +------+----------+----------+High      |7.7   |authentication|
|               |13.x  |13.1.0 -  |13.1.3.2  |          |      |/trust        |
|               |      |13.1.3.1  |          |          |      |              |
|               +------+----------+----------+          |      |              |
|               |12.x  |None      |Not       |          |      |              |
|               |      |          |applicable|          |      |              |
|               +------+----------+----------+          |      |              |
|               |11.x  |None      |Not       |          |      |              |
|               |      |          |applicable|          |      |              |
+---------------+------+----------+----------+----------+------+--------------+
|               |15.x  |None      |Not       |          |      |              |
|               |      |          |applicable|          |      |              |
|BIG-IP (LTM,   +------+----------+----------+          |      |              |
|AAM, AFM,      |14.x  |None      |Not       |          |      |              |
|Analytics, APM,|      |          |applicable|          |      |              |
|DNS, Edge      +------+----------+----------+          |      |              |
|Gateway,       |13.x  |None      |Not       |Not       |None  |None          |
|GTM, Link      |      |          |applicable|vulnerable|      |              |
|Controller,    +------+----------+----------+          |      |              |
|PEM,           |12.x  |None      |Not       |          |      |              |
|WebAccelerator,|      |          |applicable|          |      |              |
|WebSafe)       +------+----------+----------+          |      |              |
|               |11.x  |None      |Not       |          |      |              |
|               |      |          |applicable|          |      |              |
+---------------+------+----------+----------+----------+------+--------------+
|Enterprise     |      |          |          |          |      |Device        |
|Manager        |3.x   |3.1.1     |None      |High      |7.7   |authentication|
|               |      |          |          |          |      |/trust        |
+---------------+------+----------+----------+----------+------+--------------+
|               |7.x   |None      |Not       |          |      |              |
|               |      |          |applicable|          |      |              |
|BIG-IQ         +------+----------+----------+          |      |Device        |
|Centralized    |6.x   |6.0.0     |6.1.0     |High      |7.7   |authentication|
|Management     +------+----------+----------+          |      |/trust        |
|               |5.x   |5.2.0 -   |None      |          |      |              |
|               |      |5.4.0     |          |          |      |              |
+---------------+------+----------+----------+----------+------+--------------+
|               |      |          |          |          |      |Device        |
|F5 iWorkflow   |2.x   |2.3.0     |None      |High      |7.7   |authentication|
|               |      |          |          |          |      |/trust        |
+---------------+------+----------+----------+----------+------+--------------+
|Traffix SDC    |5.x   |None      |Not       |Not       |None  |None          |
|               |      |          |applicable|vulnerable|      |              |
+---------------+------+----------+----------+----------+------+--------------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Note: For details about how Security Advisory articles are versioned, and what
versions are listed in the table, refer to K51812227: Understanding Security
Advisory versioning.

To determine the necessary upgrade path for your BIG-IQ system, you should
understand the BIG-IQ product offering name changes. For more information,
refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems
.

Mitigation

To mitigate this vulnerability, you should permit device communication between
the affected devices only over a trusted and secure network.

- --------------------------------------------------------------------------------

K39794285: The BIG-IP system may fail to properly parse HTTP headers that are
prepended by whitespace (non RFC2616 compliant)

Security Advisory

Original Publication Date: 27 Nov, 2019

Security Advisory Description

The BIG-IP system may fail to properly parse HTTP headers that are prepended by
whitespace. This issue occurs when all of the following conditions are met:

  o A virtual server is associated with an HTTP profile.
  o The BIG-IP system receives a specially crafted HTTP request or response
    containing one or more headers with prepended whitespace that does not
    conform to RFC2616.

When a browser communicates with a server over HTTP, it can split a long header
into several lines by prepending continuation lines with leading white space
(per RFC2616). This rule does not apply to the first line of the request (for
example, the line containing request method, URI, etc. cannot be continued on a
second line) and, therefore, having leading white space as the first characters
of the first subsequent header lines is invalid. When a virtual server is
configured with an associated HTTP profile, in affected versions, the BIG-IP
system parses such a line as a header with an empty value.

Impact

The BIG-IP system can hide important HTTP headers, either passing those to the
pool member, failing to properly handle the request (or response), or failing
to correctly load balance a connection (or request in the case of having an
associated OneConnect profile). The header preceeded by whitespace may not be
accessible within an iRule, a Local Traffic Policy, or a similar mechanism.

Symptoms

As a result of this issue, you may encounter one or more of the following
symptoms:

  o The BIG-IP system erroneously rejects an HTTP request that is interpreted
    to be missing one or more required headers (for example, the Host header).
  o The BIG-IP system performs invalid load balancing on an HTTP request that
    is interpreted to be missing hash cookie persistence.

Security Advisory Status

F5 Product Development has assigned ID 788325 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+------------------+-----------------+----------------------------------------+
|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
+------------------+-----------------+----------------------------------------+
|Release           |None             |None                                    |
+------------------+-----------------+----------------------------------------+
|                  |15.0.1.1         |                                        |
|Point release/    |14.1.2.1         |K9502: BIG-IP hotfix and point release  |
|hotfix            |14.0.1.1         |matrix                                  |
|                  |13.1.3.2         |                                        |
|                  |11.6.5.1         |                                        |
+------------------+-----------------+----------------------------------------+

Security Advisory Recommended Actions

Workaround

There is no work around for this issue.

Acknowledgements

F5 would like to acknowledge the F5 DevCentral MVP Kai Wilke of itacs GmbH for
bringing this issue to our attention, and for following the highest standards
of responsible disclosure.

- --------------------------------------------------------------------------------

K14703097: BIG-IP AFM vulnerability CVE-2019-6672

Original Publication Date: 27 Nov, 2019

Security Advisory Description

When bad-actor detection is configured on a wildcard virtual server on
platforms with hardware-based sPVA, the performance of the BIG-IP AFM system is
degraded. (CVE-2019-6672)

Impact

The affected BIG-IP AFM system's CPU usage increases and may cause
the legitimate network packets to be dropped or delayed. This reduces the
threshold for a denial-of-service (DoS) attack. This does not affect BIG-IP VE
deployments, as only the sPVA hardware implementation is affected.

Security Advisory Status

F5 Product Development has assigned ID 781449 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score |gcomponent |
|                   |      |be        |in        |          |      |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |15.0.1.1  |          |      |          |
|                   |      |15.0.1    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.1.0 -  |14.1.2.1  |          |      |          |
|                   |      |14.1.2    |          |          |      |          |
|BIG-IP AFM         +------+----------+----------+          |      |          |
|                   |13.x  |13.1.0 -  |13.1.3.2  |Medium    |5.9   |AFM       |
|                   |      |13.1.3    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IP (LTM, AAM,  |14.x  |None      |Not       |          |      |          |
|Analytics, APM,    |      |          |applicable|          |      |          |
|ASM, DNS, Edge     +------+----------+----------+          |      |          |
|Gateway, FPS, GTM, |13.x  |None      |Not       |Not       |None  |None      |
|Link Controller,   |      |          |applicable|vulnerable|      |          |
|PEM,               +------+----------+----------+          |      |          |
|WebAccelerator)    |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Enterprise Manager |3.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|F5 iWorkflow       |2.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To avoid this vulnerability, you can configure the bad-actor filtering at the
global context instead of at the wildcard virtual server context.

- --------------------------------------------------------------------------------

K11447758: TMM vulnerability CVE-2019-6669

Original Publication Date: 27 Nov, 2019

Security Advisory Description

Undisclosed traffic flow may cause the Traffic Management Microkernel (TMM) to
restart under some circumstances. (CVE-2019-6669)

Impact

A remote attacker may be able to cause the Traffic Management Microkernel (TMM)
to restart. This issue occurs on multi-blade chassis, including multi-blade
vCMP guests. This issue does not occur on single-bladed systems, on BIG-IP
Virtual Edition (VE), or on single-bladed vCMP guests.

Security Advisory Status

F5 Product Development has assigned ID 761014 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score |gcomponent |
|                   |      |be        |in        |          |      |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |15.0.1.1  |          |      |          |
|                   |      |15.0.1    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |      |14.1.0 -  |          |          |      |          |
|BIG-IP (LTM, AAM,  |14.x  |14.1.2    |14.1.2.1  |          |      |          |
|AFM, Analytics,    |      |14.0.0 -  |14.0.1.1  |          |      |          |
|APM, ASM, DNS, Edge|      |14.0.1    |          |          |      |          |
|Gateway, FPS, GTM, +------+----------+----------+Medium    |6.5   |TMM       |
|Link Controller,   |13.x  |13.0.0 -  |13.1.3.2  |          |      |          |
|PEM,               |      |13.1.3    |          |          |      |          |
|WebAccelerator)    +------+----------+----------+          |      |          |
|                   |12.x  |12.1.0 -  |None      |          |      |          |
|                   |      |12.1.5    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |11.5.2 -  |None      |          |      |          |
|                   |      |11.6.5    |          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Enterprise Manager |3.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |6.x   |None      |Not       |          |      |          |
|BIG-IQ Centralized |      |          |applicable|Not       |      |          |
|Management         +------+----------+----------+vulnerable|None  |None      |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|F5 iWorkflow       |2.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|Not       |      |          |
|Traffix SDC        +------+----------+----------+vulnerable|None  |None      |
|                   |4.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

- --------------------------------------------------------------------------------

K39225055: BIG-IP TMM vulnerability CVE-2019-6671

Original Publication Date: 27 Nov, 2019

Security Advisory Description

Under certain conditions, the Traffic Management Microkernel (TMM) may leak
memory when processing packet fragments, leading to resource starvation.(
CVE-2019-6671)

Impact

Resource starvation due to a memory leak may cause the Traffic Management
Microkernel (TMM) to restart, leading to failover in a high availability (HA)
environment.

Security Advisory Status

F5 Product Development has assigned ID 777737 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score |gcomponent |
|                   |      |be        |in        |          |      |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |15.0.1.1  |          |      |          |
|                   |      |15.0.1    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |      |14.1.0 -  |          |          |      |          |
|                   |14.x  |14.1.2    |14.1.2.1  |          |      |          |
|BIG-IP (LTM, AAM,  |      |14.0.0 -  |14.0.1.1  |          |      |          |
|AFM, Analytics,    |      |14.0.1    |          |          |      |          |
|APM, ASM, DNS, Edge+------+----------+----------+          |      |          |
|Gateway, FPS, GTM, |      |13.1.0 -  |          |Medium    |5.9   |TMM       |
|Link Controller,   |13.x  |13.1.3    |13.1.3.2  |          |      |          |
|PEM,               |      |          |          |          |      |          |
|WebAccelerator)    +------+----------+----------+          |      |          |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Enterprise Manager |3.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |6.x   |None      |Not       |          |      |          |
|BIG-IQ Centralized |      |          |applicable|Not       |      |          |
|Management         +------+----------+----------+vulnerable|None  |None      |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|F5 iWorkflow       |2.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

- --------------------------------------------------------------------------------

K24241590: BIG-IP APM ignores the Restrict to Single Client IP option for Native RDP resources

Original Publication Date: 27 Nov, 2019

Security Advisory Description

This issue occurs when all of the following conditions are met:

  o You enable the Restrict to Single Client IP option in the Access profile.
  o Users access a native Remote Desktop Protocol (RDP) resource on the BIG-IP
    APM webtop.

When launching a native RDP resource from the BIG-IP APM Webtop, the BIG-IP APM
system provides an RDP file to the client browser and the client browser
invokes the native RDP client to launch the resource with the parameters
specified in the RDP file. When the Access profile Restrict to Single Client IP
option is enabled, a user should only be allowed to launch the resource from
the client that initiated the request.

Impact

An unauthorized client machine can launch an RDP session to a back-end resource
server in an APM session.

Symptoms

As a result of this issue, you may encounter the following symptom:

  o With access to the RDP file that the BIG-IP APM provided (in another APM
    session), you can use the RDP file to launch an RDP session to a back-end
    resource server.

Security Advisory Status

F5 Product Development has assigned ID 769853 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+------------------+-----------------+----------------------------------------+
|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
+------------------+-----------------+----------------------------------------+
|Release           |None             |None                                    |
+------------------+-----------------+----------------------------------------+
|Point release/    |15.0.1.1         |K9502: BIG-IP hotfix and point release  |
|hotfix            |14.1.2.1         |matrix                                  |
|                  |14.0.1.1         |                                        |
+------------------+-----------------+----------------------------------------+

Security Advisory Recommended Actions

Workaround

None

- --------------------------------------------------------------------------------

K81557381: BIG-IP HTTP/2 vulnerability CVE-2019-6673

Original Publication Date: 27 Nov, 2019

Security Advisory Description

When the BIG-IP system is configured in HTTP/2 full proxy mode, specifically
crafted requests may cause a disruption of service provided by the Traffic
Management Microkernel (TMM). (CVE-2019-6673)

Impact

An attacker may be able to use a specifically crafted request to cause a
disruption of service. The data plane is impacted and exposed only when a
virtual server is configured with an associated HTTP profile, HTTP/2 client and
server profile, and the HTTP MRF Router option is enabled (HTTP/2 full proxy
mode).

Security Advisory Status

F5 Product Development has assigned ID 798249 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-----------------+------+----------+----------+-----------+------+-----------+
|                 |      |Versions  |Fixes     |           |CVSSv3|Vulnerable |
|Product          |Branch|known to  |introduced|Severity   |score |gcomponent  |
|                 |      |be        |in        |           |      |or feature |
|                 |      |vulnerable|          |           |      |           |
+-----------------+------+----------+----------+-----------+------+-----------+
|                 |15.x  |15.0.0 -  |15.0.1.1  |           |      |           |
|                 |      |15.0.1    |          |           |      |           |
|                 +------+----------+----------+           |      |           |
|                 |14.x  |14.1.0 -  |14.1.2.1  |           |      |           |
|                 |      |14.1.2    |          |           |      |virtual    |
|BIG-IP (LTM, AAM,+------+----------+----------+           |      |servers    |
|AFM, APM, ASM,   |13.x  |None      |Not       |Low        |3.7   |(HTTP MRF  |
|FPS, Link        |      |          |applicable|           |      |Router     |
|Controller, PEM) +------+----------+----------+           |      |option)    |
|                 |12.x  |None      |Not       |           |      |           |
|                 |      |          |applicable|           |      |           |
|                 +------+----------+----------+           |      |           |
|                 |11.x  |None      |Not       |           |      |           |
|                 |      |          |applicable|           |      |           |
+-----------------+------+----------+----------+-----------+------+-----------+
|                 |15.x  |None      |Not       |           |      |           |
|                 |      |          |applicable|           |      |           |
|                 +------+----------+----------+           |      |           |
|                 |14.x  |None      |Not       |           |      |           |
|                 |      |          |applicable|           |      |           |
|BIG-IP           +------+----------+----------+Not        |      |           |
|(Analytics, DNS, |13.x  |None      |Not       |vulnerable |gNone  |None       |
|GTM)             |      |          |applicable|2          |      |           |
|                 +------+----------+----------+           |      |           |
|                 |12.x  |None      |Not       |           |      |           |
|                 |      |          |applicable|           |      |           |
|                 +------+----------+----------+           |      |           |
|                 |11.x  |None      |Not       |           |      |           |
|                 |      |          |applicable|           |      |           |
+-----------------+------+----------+----------+-----------+------+-----------+
|Enterprise       |3.x   |None      |Not       |Not        |None  |None       |
|Manager          |      |          |applicable|vulnerable |      |           |
+-----------------+------+----------+----------+-----------+------+-----------+
|                 |7.x   |None      |Not       |           |      |           |
|                 |      |          |applicable|           |      |           |
|BIG-IQ           +------+----------+----------+           |      |           |
|Centralized      |6.x   |None      |Not       |Not        |None  |None       |
|Management       |      |          |applicable|vulnerable |      |           |
|                 +------+----------+----------+           |      |           |
|                 |5.x   |None      |Not       |           |      |           |
|                 |      |          |applicable|           |      |           |
+-----------------+------+----------+----------+-----------+------+-----------+
|F5 iWorkflow     |2.x   |None      |Not       |Not        |None  |None       |
|                 |      |          |applicable|vulnerable |      |           |
+-----------------+------+----------+----------+-----------+------+-----------+
|Traffix SDC      |5.x   |None      |Not       |Not        |None  |None       |
|                 |      |          |applicable|vulnerable |      |           |
+-----------------+------+----------+----------+-----------+------+-----------+

^2The specified products contain the affected code. However, F5 identifies the
vulnerability status as Not vulnerable because the attacker cannot exploit the
code in default, standard, or recommended configurations.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you can disable the HTTP MRF Router option for
the affected virtual server. To do so, perform the following procedure:

Impact of action: The HTTP/2 full proxy mode is disabled for the virtual
server.

Disabling the HTTP MRF Router option

 1. Log in to the Configuration utility.
 2. Go to Local Traffic > Virtual Servers > Virtual Server List.
 3. Click the name of the affected virtual server.
 4. Under Acceleration, clear the HTTP MRF Router check box.
 5. Select Update.
 6. Repeat the above steps for each virtual server for which the HTTP MRF
    Router option is enabled.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXd4V4WaOgq3Tt24GAQhDZw/7BaGT0UnICfnG5BtoSyvS3Uoz/X5Gm2kV
YwzZPLBZXbdxzaXoQDcXX+JJASu5hbWEHGWjQxKnT+EKqNd70sK6AUpM2NLbRFpg
jgeArd3MRcC7CgMtd8H2YOS7SsP+8Md/tcSWmkbBbPHms1lYTB4jpFeYAJeiTZLo
mpxNoZn06OMze49Kia3igk/yLZm9obvtR9BHCb2H08RzmZkj5L7SobBODLQddP3f
OIm7NugpTxIpMLgsUOHVT8Gr63Urm3E1KnqJmnhgyfWLEpo5a/Opoh0ixVyCY4oM
ffZY94cnHgu19gVwOXHDEcqZPbP2JgYX/rJIZSAOl40hcjoq0LZ6M0cyBCjVqh8Q
g4rmG7jbt4G83TC9ir2RcZqFqsy+wSIKYlakJgKEgEzqEfxdhW/7XPsUrFEIf8LJ
eoHK+1X5+z6pvrGixTDrmVqeI+dZiN4h6P06nqlLHBIHukOZPArupsWEF3XkdLd5
K+x/tCKL8vrPMDeQ7JuijBjkTPoEftuub5Xcp6/tcY5BdMwKM2SkQYOnyURzGDji
rHDv4rz5z2HJtgLUZHd5i6ickru2ucznK0U5ZzixY4K7a6eG7InUyF930KR6XQfx
PlYkf+9ZkoQ5Tw/13uzaxDp9vMYVIIq/2UAynHpIsaOGC2N1ugJHiNerd0UeZ9SJ
k5ag+4sbsPA=
=yrXt
-----END PGP SIGNATURE-----