K6669 : Apache HTTP Expect header handling

Security Advisory Description

Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of F5 security vulnerability response policy.

F5 products and versions that have been evaluated for this Security Advisory

The vulnerability exists in the Apache web server, which is used by FirePass. Apache will not sanitize the contents of the HTTP Expect header when receiving an HTTP request. Instead, the contents of the Expect header will be returned in a successful HTTP response. This permits executable code such as JavaScript that is inserted into the HTTP Expect header to be executed by the browser in the security context of the web site whose page was returned. A cross-site scripting attack may be permitted as a result, which can disclose sensitive information or perform other malicious actions.

This vulnerability is difficult to exploit because insertion of code into an HTTP header would generally require an attacker to have exploited another, more serious vulnerability in the browser. It is not sufficient to create a hyperlink with exploit code embedded in the URL parameters, as is the case with the standard cross-site scripting technique. Although ActiveX and the ActionScript language available in Adobe/Macromedia Flash have the capability to craft HTTP requests, including headers and proof-of-concepts, the constraint of having to first download a malicious ActiveX control or Flash file makes this vulnerability unlikely to be exploited.

Information about this advisory is available at the following locations:

<https://vulners.com/cve/CVE-2006-3918&gt;

<http://httpd.apache.org/security/vulnerabilities_13.html&gt;

<http://seclists.org/bugtraq/2006/May/0440.html&gt;

<http://www.securityfocus.com/archive/1/441014/30/0/&gt;

F5 Product Development tracked this issue as CR47467 for BIG-IP, and it was fixed in BIG-IP 9.4.0. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, Link Controller, or WebAccelerator release notes.

F5 Product Development tracked this issue as CR67295 for FirePass, and it was fixed in 5.5.2 and 6.0.1. For information about upgrading, refer to the FirePass release notes.

Additionally, this issue was fixed in cumulative hotfix 600-3 for FirePass software. You may download this hotfix or later versions of the cumulative hotfix from the F5 Downloads site.

For information about the F5 hotfix policy, refer to K4918: Overview of F5 critical issue hotfix policy.

For instructions about installing a FirePass hotfix, refer to K3430: Installing hotfixes.