Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3282
The BIG-IP ASM system may fail to mask sensitive parameter
for an Allowed URL in the Referrer header and logs
25 September 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP ASM
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Read-only Data Access -- Unknown/Unspecified
Reduced Security -- Unknown/Unspecified
Resolution: Mitigation
Original Bulletin:
https://support.f5.com/csp/article/K86285055
- --------------------------BEGIN INCLUDED TEXT--------------------
K86285055:The BIG-IP ASM system may fail to mask sensitive parameter for an Allowed URL in the Referrer header and logs
Security Advisory
Original Publication Date: 25 Sep, 2020
Security Advisory Description
The BIG-IP ASM system may fail to mask a sensitive parameter for an Allowed
URL.
This issue occurs when all of the following conditions are met:
o You configured an Allowed HTTP URL enabled with the following settings in a
security policy:
Check Flows to this URL
URL is Entry Point
URL is Referrer
o You configured a parameter for this Allowed HTTP URL.
o You enabled the Mask Value in Logs setting for this parameter. Prior to
BIG-IP ASM 14.0.0, this setting is known as Sensitive Parameter.
o The virtual server associated with the security policy receives a request
matching the configured Allowed HTTP URL, and the request includes the
configured parameter both in its query string as well as its Referrer
header.
Impact
The BIG-IP ASM system does not mask the sensitive parameter in the request's
Referrer header. As a result, the value of the sensitive parameter is exposed
in logs and may be sent unmasked to remote log systems if configured.
Symptoms
As a result of this issue, you may encounter the following symptom:
o When the system receives a client request with a configured sensitive
parameter, for example, param:
GET /test.phpparam=123 HTTP/1.1
Host: 192.168.1.1
Referer: http://192.168.1.1/test.phpparam=123
both the request query string and the Referrer header contain the sensitive
parameter param, which causes the BIG-IP ASM system to mask only the value
of the sensitive parameter in the request query string but not the Referrer
header:
GET /test.phpparam=*** HTTP/1.1
Host: 192.168.1.1
Referer: http://192.168.1.1/test.phpparam=123
Security Advisory Status
F5 Product Development has assigned ID 848445 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+-----------------+----------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+-----------------+----------------------------------------+
|Release |16.0.0 |K2200: Most recent versions of F5 |
| | |software |
+------------------+-----------------+----------------------------------------+
|Point release/ |15.1.0.5 |K9502: BIG-IP hotfix and point release |
|hotfix |14.1.2.8 |matrix |
+------------------+-----------------+----------------------------------------+
Security Advisory Recommended Actions
Workaround
To work around this issue, you can define the sensitive parameter as a global
sensitive parameter instead of configuring it specific to an Allowed HTTP URL.
. To do so, perform the following procedure:
Impact of workaround: Defining a global sensitive parameter masks the value of
the Referrer header in all requests and all logs, regardless of whether or not
there is sensitive information in it. Depending on your application
environment, this may have an impact, especially when troubleshooting
application issues.
1. Log in to the Configuration utility.
2. Go to Security > Application Security > URLs > Allowed URLs > Allowed HTTP
URLs.
3. For Current edited policy, select the policy you want to modify.
4. Select the affected Allowed HTTP URL.
5. Select URL Parameters.
6. Check the affected sensitive parameter and select Delete.
7. Select OK to confirm the deletion.
8. Go to Security > Application Security > Parameters > Sensitive Parameters.
9. For Current edited policy, select the policy you want to modify.
10. Select Create.
11. Enter the name of the parameter in the Parameter Name setting.
12. Select Create to save the change.
13. Select Apply Policy to affect the change.
Supplemental Information
o K51812227: Understanding security advisory versioning
o K41942608: Overview of AskF5 security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX202S+NLKJtyKPYoAQjzmw//chH1h7IlNTFaVFTDzhUf1hlPdSfeEn8i
8zCwdvRDhZLyfMYTGj6JuljkXwAnUy+x5YXwNsxXIQ5Y782JEC34bI0bcFTUTpao
6gyrGVnwpkdcfK0feCD+XcaZA269OKSmb71O0LBtZhtVqmM3m1ndp1maMyzE7rZ7
939fod+ZRatpatwdqjAUVgrhO3CNXKPcPq9RnNuyzRAakJqoKdP+vnlc3U3BZPLa
UNBNBC4oNu5sjIh3La/Zljs5cwHAdS5YQKmurHSj1pQ03QnLJEJ44Ydrh9Xyfyzk
U7OhTJZ+sGbhrdqIP6dHugu7p45a3PUQY+eV3n7BbWTi/22PqRuhlYeEq841num3
F36708Q20RFy3+SUMqX/OOvvB78VeXT0ywJD1t5bTohzon9YmEETyBdBi2c1eEm9
7poLyvGMShJvh7X4XK4tKgTpCL1/eHirs+jNP9Z3150urUuJ5NrMaOC6E2Qmn9HB
27BzZmWMcEAUZrBq6Jz/m79kIIZ7pqSL8mwbdJkPwDj7QZMjGdFprwOY9RDcNWRL
IXAPg4UPm8X1zgyahUuCpwRioCehPn8gCWABCCXTy9N2m8Is3se876yJMA0FwXWH
2M/mfSXe3gHO+WKAyLCxj8W9l7BrkbhLXu3f4ex7eEd6WUhyMLXJO88KUNUM6yVk
RGeKczBSAos=
=mCnr
-----END PGP SIGNATURE-----