Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3282 The BIG-IP ASM system may fail to mask sensitive parameter for an Allowed URL in the Referrer header and logs 25 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP ASM Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Read-only Data Access -- Unknown/Unspecified Reduced Security -- Unknown/Unspecified Resolution: Mitigation Original Bulletin: https://support.f5.com/csp/article/K86285055 - --------------------------BEGIN INCLUDED TEXT-------------------- K86285055:The BIG-IP ASM system may fail to mask sensitive parameter for an Allowed URL in the Referrer header and logs Security Advisory Original Publication Date: 25 Sep, 2020 Security Advisory Description The BIG-IP ASM system may fail to mask a sensitive parameter for an Allowed URL. This issue occurs when all of the following conditions are met: o You configured an Allowed HTTP URL enabled with the following settings in a security policy: Check Flows to this URL URL is Entry Point URL is Referrer o You configured a parameter for this Allowed HTTP URL. o You enabled the Mask Value in Logs setting for this parameter. Prior to BIG-IP ASM 14.0.0, this setting is known as Sensitive Parameter. o The virtual server associated with the security policy receives a request matching the configured Allowed HTTP URL, and the request includes the configured parameter both in its query string as well as its Referrer header. Impact The BIG-IP ASM system does not mask the sensitive parameter in the request's Referrer header. As a result, the value of the sensitive parameter is exposed in logs and may be sent unmasked to remote log systems if configured. Symptoms As a result of this issue, you may encounter the following symptom: o When the system receives a client request with a configured sensitive parameter, for example, param: GET /test.phpparam=123 HTTP/1.1 Host: 192.168.1.1 Referer: http://192.168.1.1/test.phpparam=123 both the request query string and the Referrer header contain the sensitive parameter param, which causes the BIG-IP ASM system to mask only the value of the sensitive parameter in the request query string but not the Referrer header: GET /test.phpparam=*** HTTP/1.1 Host: 192.168.1.1 Referer: http://192.168.1.1/test.phpparam=123 Security Advisory Status F5 Product Development has assigned ID 848445 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table. +------------------+-----------------+----------------------------------------+ |Type of fix |Fixes introduced |Related articles | | |in | | +------------------+-----------------+----------------------------------------+ |Release |16.0.0 |K2200: Most recent versions of F5 | | | |software | +------------------+-----------------+----------------------------------------+ |Point release/ |15.1.0.5 |K9502: BIG-IP hotfix and point release | |hotfix |14.1.2.8 |matrix | +------------------+-----------------+----------------------------------------+ Security Advisory Recommended Actions Workaround To work around this issue, you can define the sensitive parameter as a global sensitive parameter instead of configuring it specific to an Allowed HTTP URL. . To do so, perform the following procedure: Impact of workaround: Defining a global sensitive parameter masks the value of the Referrer header in all requests and all logs, regardless of whether or not there is sensitive information in it. Depending on your application environment, this may have an impact, especially when troubleshooting application issues. 1. Log in to the Configuration utility. 2. Go to Security > Application Security > URLs > Allowed URLs > Allowed HTTP URLs. 3. For Current edited policy, select the policy you want to modify. 4. Select the affected Allowed HTTP URL. 5. Select URL Parameters. 6. Check the affected sensitive parameter and select Delete. 7. Select OK to confirm the deletion. 8. Go to Security > Application Security > Parameters > Sensitive Parameters. 9. For Current edited policy, select the policy you want to modify. 10. Select Create. 11. Enter the name of the parameter in the Parameter Name setting. 12. Select Create to save the change. 13. Select Apply Policy to affect the change. Supplemental Information o K51812227: Understanding security advisory versioning o K41942608: Overview of AskF5 security advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 16.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX202S+NLKJtyKPYoAQjzmw//chH1h7IlNTFaVFTDzhUf1hlPdSfeEn8i 8zCwdvRDhZLyfMYTGj6JuljkXwAnUy+x5YXwNsxXIQ5Y782JEC34bI0bcFTUTpao 6gyrGVnwpkdcfK0feCD+XcaZA269OKSmb71O0LBtZhtVqmM3m1ndp1maMyzE7rZ7 939fod+ZRatpatwdqjAUVgrhO3CNXKPcPq9RnNuyzRAakJqoKdP+vnlc3U3BZPLa UNBNBC4oNu5sjIh3La/Zljs5cwHAdS5YQKmurHSj1pQ03QnLJEJ44Ydrh9Xyfyzk U7OhTJZ+sGbhrdqIP6dHugu7p45a3PUQY+eV3n7BbWTi/22PqRuhlYeEq841num3 F36708Q20RFy3+SUMqX/OOvvB78VeXT0ywJD1t5bTohzon9YmEETyBdBi2c1eEm9 7poLyvGMShJvh7X4XK4tKgTpCL1/eHirs+jNP9Z3150urUuJ5NrMaOC6E2Qmn9HB 27BzZmWMcEAUZrBq6Jz/m79kIIZ7pqSL8mwbdJkPwDj7QZMjGdFprwOY9RDcNWRL IXAPg4UPm8X1zgyahUuCpwRioCehPn8gCWABCCXTy9N2m8Is3se876yJMA0FwXWH 2M/mfSXe3gHO+WKAyLCxj8W9l7BrkbhLXu3f4ex7eEd6WUhyMLXJO88KUNUM6yVk RGeKczBSAos= =mCnr -----END PGP SIGNATURE-----