Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
f5F5SOL14700
HistorySep 18, 2013 - 12:00 a.m.

SOL14700 - BIG-IP APM clickjacking vulnerability

2013-09-1800:00:00
support.f5.com
62
JSON

Note: This issue has been addressed in BIG-IP APM 11.3.0 and later through the use of the x-frame-options header in the Access Policy pages. Modifying a BIG-IP APM 11.3.0 or later system dB variable settings forapm.xframeoptionsorapm.xframeoptions.allowfrom from their defaults may open the system to this vulnerability. For more information, refer to SOL16642: Overview of the apm.xframeoptions db key.

Recommended action

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.

To mitigate this vulnerability, you can modify the logon web page to include additional code to protect against clickjacking. To do so, perform the following procedure:

Impact of action: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Configuration utility.
  2. Navigate to Access Policy.
  3. Navigate to Access Policy >Customization > Advanced****Customization.
  4. From the Edit Mode menu, selectAdvanced.
  5. Select the resource type folder for Access Profiles.
  6. Select the subfolder that shares the name of the affected access policy.
  7. Select the folder Logon Pages >** Logon Page**.
  8. Select the logon.inc file.
  9. In the logon.inc file, locate the line**<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML//EN”>(typically line 96 of an unmodifiedlogin.inc** file).

You will see the following lines just below this title.

<html>
<head>
<meta http-equiv=“Content-Type” content=“text/html; charset=utf-8”>
<meta http-equiv=“pragma” content=“no-cache”>
<meta http-equiv=“cache-control” content=“no-cache”>
<title>%{session.server.network.name}</title>
<link rel=“stylesheet” type=“text/css” HREF=“/public/include/css/apm.css”>

  1. Locate the last line listed in the previous example (typically line 103 of an unmodified logon.inc file), and add the following code just after that line:

<style id=“antiClickjack”>body{display:none !important;}</style>

  1. Locate the functionsessionTimedOut ()(typically line 113 after completing the previous modification).

  2. After function** sessionTimedOut ()**, add the following lines, starting at line 114.

** ** if (self === top) {
var antiClickjack = document.getElementById(“antiClickjack”);
antiClickjack.parentNode.removeChild(antiClickjack);

} else {
top.location = self.location;
}

  1. In the top right corner of the editor, click Save Draft.
  2. In the top left side of the editor, click** Save**.
  3. In the top left corner of the Configuration utility, click Apply Access Policy.
  4. Click** Apply Access Policy**.

Acknowledgments

F5 would like to acknowledge Tony Dimichele, with BNP Paribas US, for his efforts in identifying this issue.

Supplemental Information

  • SOL9970: Subscribing to email notifications regarding F5 products
  • SOL4918: Overview of the F5 critical issue hotfix policy
  • SOL167: Downloading software and firmware from F5
  • SOL13123: Managing BIG-IP product hotfixes (11.x)
CPENameOperatorVersion
big-ip apmle11.2.1
JSON