SOL2232 - checktrap.pl script may be vulnerable to remote command execution

2007-05-16T00:00:00
ID SOL2232
Type f5
Reporter f5
Modified 2010-09-13T00:00:00

Description

The checktrap.pl script may be vulnerable to remote command execution.

F5 Networks Product Development tracked this issue as CR35371 and CR35372, and it was fixed in BIG-IP and 3-DNS version 4.5.12 for the 4.5 software branches and in version 4.6.3 for the 4.6 software branches.

Obtaining and installing patches

BIG-IP and 3-DNS versions 4.6.0 through 4.6.2

Important: The system will reboot as soon as it installs the patch. Install this patch only on a system that is in standby mode.

To download and install the patch, perform the following procedure:

  1. Open the F5 Networks Downloads page in a browser.
  2. Navigate to the BIG-IP >> BIG-IP v4.x >> BIG-IP 4.6.x section.
  3. Click checktrap and download the checktrap-4.6x-BIG_IP.im file.

For information about how to download software, refer to SOL167: Downloading software from F5 Networks.

  1. Verify the MD5 checksum of the patch, by typing the following command:

md5 checktrap-4.6x-BIG_IP.im

Output similar to the following example should appear:

0b4d7c354355c47d0fe06189ca737290 checktrap-4.6x-BIG_IP.im

  1. Install the patch by typing the following command:

im checktrap-4.6x-BIG_IP.im

BIG-IP and 3-DNS versions 4.5.0 through 4.5.10

Important: The system will reboot as soon as it installs the patch. Install this patch only on a system that is in standby mode.

To download and install the patch, perform the following procedure:

  1. Open the F5 Networks Downloads page in a browser.
  2. Navigate to the BIG-IP >> BIG-IP v4.x >> BIG-IP 4.5.x section.
  3. Click checktrap and download the checktrap-4.5x-BIG_IP.im file.

For information about how to download software, refer to SOL167: Downloading software from F5 Networks.

  1. Verify the MD5 checksum of the patch, by typing the following command:

md5 checktrap-4.5x-BIG_IP.im

Output similar to the following example should appear:

0b4d7c354355c47d0fe06189ca737290 checktrap-4.5x-BIG_IP.im

  1. Install the patch by typing the following command:

im checktrap-4.5x-BIG_IP.im

Workaround

To protect controllers that are configured with SNMP traps, upgrade to the most recent version of BIG-IP or 3-DNS.

If upgrading or applying a patch is not an immediate option, you can work around this issue by performing the following two procedures.

Note: This workaround will supply you with the same protection as applying the patch.

Disabling syslog messages

To disable syslog messages to the /var/run/trapper file, perform the following procedure:

  1. Using a text editor, edit the /etc/syslog.conf file.
  2. Look toward the bottom of the file for lines that appear similar to the following example:

local0. /var/run/trapper local1. /var/run/trapper

  1. If they exist, comment them out so that they appear similar to the following example:

local0. /var/run/trapper # local1. /var/run/trapper

  1. Save the file.
  2. Restart syslogd by typing the following command:

kill -HUP pidof syslogd

Enabling port lockdown

Enabling port lockdown on any exposed VLAN will prevent a remote attacker from sending arbitrary text to the syslog facility. To enable port lockdown, perform the following procedure:

  1. View the current port lockdown status for a specific VLAN by typing the following command:

bigpipe vlan <vlan name> show |grep lockdown

For example:

bigpipe vlan internal show |grep lockdown

The output will show lockdown disabled or lockdown enabled and will appear similar to the following example:

port_lockdown Disabled

  1. If disabled, enable port lockdown on the VLAN by typing the following command:

bigpipe vlan port_lockdown enable

For example:

bigpipe vlan internal port_lockdown enable

  1. Save the new setting by typing the following command:

bigpipe base save