F5 BIG-IP versions 11.5.1 and below suffer from a reflective cross site scripting vulnerability.
90bc183e4916362d71c4474e9345d2f9d2041b58846f35012b0a395feaf2417a
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SEC Consult Vulnerability Lab Security Advisory < 20140828-0 >
=======================================================================
title: Reflected Cross-Site Scripting
product: F5 BIG-IP
vulnerable version: <= 11.5.1
fixed version: > 11.6.0
impact: Medium
CVE number: CVE-2014-4023
homepage: https://f5.com/
found: 2014-07-07
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor/product description:
- -----------------------------
"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance. From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agilityand ensures your applications
are fast, secure, and available."
URL: https://f5.com/products/big-ip
Vulnerability overview/description:
- -----------------------------------
BIG-IP suffers from a reflected Cross-Site Scripting vulnerability,
which allow an attacker to steal other users sessions, to impersonate other
users and to gain unauthorized access to the admin interface.
Proof of concept:
- -----------------
The following HTTP request triggers the vulnerability:
POST /tmui/dashboard/echo.jsp HTTP/1.1
Host: BIGIP
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 29
<script>alert('xss')</script>
The server does not properly encode user supplied information and returns it
to the user resulting in Cross-Site Scripting.
Vulnerable / tested versions:
- -----------------------------
More information can be found at:
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html
Vendor contact timeline:
- ------------------------
2014-07-08: Sending advisory and proof of concept exploit via encrypted
channel.
2014-07-09: Vendor confirms receipt of advisory. States that fix will be
released in the "next 6 weeks or so"
2014-07-24: Vendor provides CVE: CVE-2014-4023
2014-08-26: Vendor releases fixed version.
2014-08-28: SEC Consult releases a coordinated security advisory.
Solution:
- ---------
Update to the newest version.
More information can be found at:
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html
Workaround:
- -----------
No workaround available.
Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com
EOF Stefan Viehböck / @2014
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJT/wVOAAoJECyFJyAEdlkKq9cIAKX9MEOpw8p9i8KWZXmkBiBr
S3n9YPNk6bbGbm+YfNCvXvtdSTPhh4I1wBY/WYWENpnQrwdiJ3couS5f2/DQzHTP
uCROxpmtxY1bokMS+ZHOPeGECk8RFr03kBZtGrF2cdGLWzBv7l+CnmopS8lnDVsw
44/R5hj3OdZxhD3btFLXss1RPbUDU1vGV9KpDgJmsssS5pzvG9I2T9xGibd0zBIA
WGA5jjGFitfQwDaxvqoocKgmBG2o3nQpdCShlaRiFklVJQYT1J+w/TWA1OOWZmxs
91m6C9fqAqgeIjmFSOE5c/rpiw7MdzH46yUzoVhbqm6wKcngLDDmZDuqPwaqH18=
=RsbU
-----END PGP SIGNATURE-----