K13600 : SSH vulnerability CVE-2012-1493

Security Advisory Description

A platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using secure shell (SSH). The vulnerability is caused by a configuration error, and is not the result of an underlying SSH defect.

The following platforms are affected by this issue:

• VIPRION B2100, B4100, and B4200
• BIG-IP 520, 540, 1000, 2000, 2400, 5000, 5100, 1600, 3600, 3900, 6900, 8900, 8950, 11000, and 11050
• BIG-IP Virtual Edition
• Enterprise Manager 3000 and 4000

Note: Systems that are licensed to run in Appliance mode on BIG-IP 10.2.1 HF3 or later are not susceptible to this vulnerability. For more information about Appliance mode, refer to K12815: Overview of Appliance mode.

The only sign that this vulnerability may have been exploited on an affected system would be the appearance of unexpected root login messages in the /var/log/secure file. However, there is no way to tell from any specific login message whether it was the result of this vulnerability. Further, it is possible for a privileged account to eliminate traces of illicit activity by modifying the log files.

Neither a strong password policy nor remote authentication helps mitigate the issue. For information about protecting your system from exploitation, refer to the Recommended Action section below.

F5 would like to acknowledge Florent Daigniere of Matta Consulting for bringing this issue to our attention, and for following the highest standards of responsible disclosure.

Impact

Privileged (root) access may be granted to unauthenticated users.