F5SOL15236SOL15236 - ConfigSync IP Rsync full file system access vulnerability CVE-2014-2927
0.099 Low
EPSS
Percentile
94.9%
Recommended Action
If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists.
To mitigate this vulnerability, you should ensure the IP address used for ConfigSync is on a trusted network. Additionally, you should ensure TCP port 873 (tcp:873 or tcp:rsync) is disabled on self IP addresses. To do so, perform both of the following procedures:
- Ensuring TCP port 873 is not allowed as a default service (allow-service default)
- Ensuring your ConfigSync self IP is not configured with a Port Lockdown setting of Allow All (allow-service all) and does not specifically have TCP port 873 (tcp:rsync) enabled
Ensuring TCP port 873 is not allowed as a default service (allow-service default)
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
- Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh
2. List the default services allowed by the allow-service default setting by typing the following command:
list net self-allow
Output appears similar to the following example:
net self-allow {
defaults {
ospf:any
tcp:domain
tcp:f5-iquery
tcp:https
tcp:snmp
tcp:ssh
udp:520
udp:cap
udp:domain
udp:f5-iquery
udp:snmp
}
}
- If TCP port 873 (tcp:873 or tcp:rsync) is listed as a default allowed port, you should delete the entry by typing the following command:
modify net self-allow defaults delete { tcp:rsync }
4. Save the configuration by typing the following command:
save sys config
**Ensuring your ConfigSync self IP is not configured with a Port Lockdown setting of Allow All (allow-service all) and does not specifically have TCP port 873 (tcp:rsync) enabled **
****Impact of procedure: Performing the following procedure should not have a negative impact on your system.
- Log in to the BIG-IP or Enterprise Manager Configuration utility.
- Navigate to Device Management> Devices.
- Select the device indicated as (Self).
- Navigate to Device Connectivity>** ConfigSync**.
- Note the IP address listed in Local Address.
- Navigate to Network>** Self IPs**.
- Click the self IP address that matches the Local Address from step 5.
- Ensure the Port Lockdown setting is not set to Allow All, orAllow Custom with TCP port 873 (Rsync) added to the Custom List of allowed ports.
For example, either delete TCP port 873 from the Custom List of allowed ports, or select Allow Default from the** Port Lockdown** menu.
9. Click** Update** to save the configuration.
Acknowledgments
F5 would like to acknowledge Thomas Hibbert of Security Assessment for bringing this issue to our attention, and for following the highest standards of responsible disclosure.
Supplemental Information
- SOL9970: Subscribing to email notifications regarding F5 products
- SOL9957: Creating a custom RSS feed to view new and updated documents.
- SOL4602: Overview of the F5 security vulnerability response policy
- SOL4918: Overview of the F5 critical issue hotfix policy
- SOL167: Downloading software and firmware from F5
- SOL13123: Managing BIG-IP product hotfixes (11.x)
- SOL9502: BIG-IP hotfix matrix
References
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123
support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html
Related
