SOL14700 - BIG-IP APM clickjacking vulnerability

2013-09-18T00:00:00
ID SOL14700
Type f5
Reporter f5
Modified 2014-08-22T00:00:00

Description

Note: This issue has been addressed in BIG-IP APM 11.3.0 and later through the use of the x-frame-options header in the Access Policy pages. Modifying a BIG-IP APM 11.3.0 or later system dB variable settings for apm.xframeoptions or apm.xframeoptions.allowfrom from their defaults may open the system to this vulnerability. For more information, refer to SOL16642: Overview of the apm.xframeoptions db key.

Recommended action

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.

To mitigate this vulnerability, you can modify the logon web page to include additional code to protect against clickjacking. To do so, perform the following procedure:

Impact of action: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Configuration utility.
  2. Navigate to Access Policy.
  3. Navigate to Access Policy > Customization > Advanced Customization.
  4. From the Edit Mode menu, select Advanced.
  5. Select the resource type folder for Access Profiles.
  6. Select the subfolder that shares the name of the affected access policy.
  7. Select the folder Logon Pages > Logon Page.
  8. Select the logon.inc file.
  9. In the logon.inc file, locate the line <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> (typically line 96 of an unmodified login.inc file).

You will see the following lines just below this title.

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<title>%{session.server.network.name}</title>
<link rel="stylesheet" type="text/css" HREF="/public/include/css/apm.css">

  1. Locate the last line listed in the previous example (typically line 103 of an unmodified logon.inc file), and add the following code just after that line:

<style id="antiClickjack">body{display:none !important;}</style>

  1. Locate the function sessionTimedOut () (typically line 113 after completing the previous modification).

  2. After function sessionTimedOut (), add the following lines, starting at line 114.

if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);

} else {
top.location = self.location;
}

  1. In the top right corner of the editor, click Save Draft.
  2. In the top left side of the editor, click Save.
  3. In the top left corner of the Configuration utility, click Apply Access Policy.
  4. Click Apply Access Policy.

Acknowledgments

F5 would like to acknowledge Tony Dimichele, with BNP Paribas US, for his efforts in identifying this issue.

Supplemental Information

  • SOL9970: Subscribing to email notifications regarding F5 products
  • SOL4918: Overview of the F5 critical issue hotfix policy
  • SOL167: Downloading software and firmware from F5
  • SOL13123: Managing BIG-IP product hotfixes (11.x)