The BIG-IP ASM CSRF token may fail to renew when the original web server renews its session

2018-04-06T08:33:00
ID F5:K70517410
Type f5
Reporter f5
Modified 2019-04-25T17:35:00

Description

F5 Product Development has assigned ID 683241 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table.

Type of fix | Fixes introduced in | Related articles
---|---|---
Release | 14.1.0
11.5.6 | K2200: Most recent versions of F5 software
Point release/hotfix | 13.1.0.6
12.1.3.6
11.6.3.2 | K9502: BIG-IP hotfix and point release matrix

Workaround

To mitigate this issue, you can enable the Expiration Time setting of the CSRF Protection for the affected security policy. When this setting is enabled, the CSRT is set with a default expiration time of 600 seconds, which should be more than a sufficient amount of time to reduce the feasibility of an attack. You can further reduce the expiration time; however, reducing the CSRT expiration may cause many false positives in some scenarios. To enable the Expiration Time setting of the CSRF Protection, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Configuration utility.
  2. Navigate to Security > Application Security > CSRF Protection.
  3. In the Current edited policy setting, select the security policy you want.
  4. In the Expiration Time setting, select Enabled.
  5. To save the changes, click Save.
  6. When you are ready to deploy the modified policy, click Apply Policy.

F5 would like to acknowledge Niall Caffrey of the Edgescan company for bringing this issue to our attention and for following the highest standards of responsible disclosure.