SOL2452 - Vulnerabilities in the HTTP TRACE method - VU#867593

2008-12-31T00:00:00
ID SOL2452
Type f5
Reporter f5
Modified 2011-08-26T00:00:00

Description

Note: Versions that are not listed in this Solution have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to SOL4602: Overview of F5 security vulnerability response policy.

F5 products and versions that are not affected by this Security Advisory

F5 Product Development has determined the following products and versions are not subject to the vulnerability described in this security advisory:

  • BIG-IP versions 4.5.10 - 4.5.14
  • BIG-IP versions 4.6.2 - 4.6.4
  • 3-DNS versions 4.5.10 - 4.5.14
  • 3-DNS versions 4.6.2 - 4.6.4
  • BIG-IP LTM versions 9.0.0 - 9.1.3
  • BIG-IP LTM versions 9.2.0 - 9.2.5
  • BIG-IP LTM versions 9.3.0 - 9.3.1
  • BIG-IP LTM versions 9.4.0 - 9.4.8
  • BIG-IP LTM versions 9.6.0 - 9.6.1
  • BIG-IP LTM versions 10.0.0 - 10.0.1
  • BIG-IP ASM versions 9.2.0 - 9.2.5
  • BIG-IP ASM versions 9.3.0 - 9.3.1
  • BIG-IP ASM versions 9.4.0 - 9.4.8
  • BIG-IP ASM versions 10.0.0 - 10.0.1
  • BIG-IP GTM versions 9.2.2 - 9.2.5
  • BIG-IP GTM versions 9.3.0 - 9.3.1
  • BIG-IP GTM versions 9.4.0 - 9.4.8
  • BIG-IP GTM versions 10.0.0 - 10.0.1
  • BIG-IP Link Controller versions 9.2.2 - 9.2.5
  • BIG-IP Link Controller versions 9.3.0 - 9.3.1
  • BIG-IP Link Controller versions 9.4.0 - 9.4.8
  • BIG-IP Link Controller versions 10.0.0 - 10.0.1
  • BIG-IP WebAccelerator versions 9.4.0 - 9.4.8
  • BIG-IP WebAccelerator versions 10.0.0 - 10.0.1
  • BIG-IP WOM versions 10.0.0 - 10.0.1
  • BIG-IP PSM versions 9.4.5 - 9.4.8
  • BIG-IP PSM versions 10.0.0 - 10.0.1
  • BIG-IP SAM version 8.0.0
  • FirePass versions 3.1.0 - 5.5.2
  • FirePass versions 6.0.0 - 6.0.3
  • Enterprise Manager versions 1.0.0 - 1.4.1
  • Enterprise Manager version 1.6.0 - 1.8.0

F5 products and versions that are affected by this Security Advisory

F5 Product Development has determined the following products and versions are subject to the vulnerability described in this security advisory:

  • BIG-IP versions 4.5.0 - 4.5.9
  • BIG-IP versions 4.6.0 - 4.6.1
  • 3-DNS versions 4.5.0 - 4.5.9
  • 3-DNS versions 4.6.0 - 4.6.1

FirePass is not susceptible to this vulnerability, because the TRACE functionality in FirePass has been explicitly disabled.

BIG-IP and 3-DNS are vulnerable because they use Apache. Currently there is no way to disable HTTP TRACE on these products; however, F5 has determined that the risk is very low and, therefore, has chosen not to address this vulnerability.

For this vulnerability to be a security risk for BIG-IP and 3-DNS, the workstation or browser in question would have to be authenticated to the BIG-IP Administration Web Server and that same workstation or browser would then have to visit a web page, of which the attacker would have to know of in advance. The browser would then have to access a page, crafted by the attacker, which would cause the browser to perform an HTTP TRACE against the vulnerable F5 product. This is an extremely unlikely scenario, so the risk is very low.

If you are concerned that this vulnerability may affect the servers that BIG-IP is load balancing, you can address this issue by creating a rule to discard the http_method of TRACE. For information about creating rules, refer to the Reference Guide for the product you are running.

It is also important that you always use the following precautions to minimize exposure to administrative access, which will exponentially decrease the possibility that an F5 product will be compromised:

  • Limit access to User Administration Web Servers and SSH daemons through firewalls, routers, and other external devices.
  • Limit access to User Administration Web Servers through configuration of the httpd.conf file on the F5 device.
  • Limit access to SSH daemons through configuration of Administrative IP Address for SSH in the Configuration utility. Where applicable, limit access to the User Administration Web Servers and SSH daemon through IP filters.

F5 Product Development tracked this issue as CR29422, CR29885, and CR32144 and it was fixed in BIG-IP and 3-DNS version 4.5.10 of the 4.5 software branch and version 4.6.2 of the 4.6 software branch. For information about upgrading, refer to the BIG-IP or 3-DNS release notes.