SOL7147 - Execution of UNIX shell commands from the URL in the Admin UI

ID SOL7147
Type f5
Reporter f5
Modified 2015-03-30T00:00:00


A URL that is accessible from the Device Management > Maintenance > Troubleshooting Tools page can be modified to inject UNIX shell commands, which are then executed with user-level privileges. Only FirePass Administrators with permission to access this URL can perform this action. Standard FirePass users or non-authenticated attackers cannot access this URL, and therefore cannot exploit this issue.

F5 Product Development tracked this issue as CR75705, and it has been fixed in FirePass software feature release version 6.0.1. For information about upgrading, refer to the FirePass Release Notes.

Additionally, hotfix HF-75705-1 has been issued for supported versions of FirePass. You may download this hotfix or later versions of the hotfix from the F5 Downloads site. The fix for this issue will also be included in future versions of the cumulative hotfix for versions 6.0.0 and 5.5.2. Refer to the readme file accompanying future cumulative hotfixes for this CR.

For instructions about how to obtain a hotfix, refer to SOL167: Downloading software and firmware from F5.

For instructions about installing a hotfix, refer to SOL3430: Installing FirePass hotfixes.


Any user accounts that have been given administrator rights using Administrative Realms can be denied access to the affected URL by performing the following procedure:

  1. Log in to the FirePass Administrative console.
  2. Navigate to Device Management > Security.
  3. Click Administrative Realms.
  4. Click the Features link next to the name of the individual user, or click Edit in the realm's Feature access column for all users in the realm.
  5. Clear the check box next to Troubleshooting Tools.
  6. Click Save.

Additionally, use best practices with regard to security, such as minimizing distribution of the password to the admin account, and disabling administrative access on the Internet-facing Web Services.


F5 would like to acknowledge Brendan O'Connor for his efforts in identifying this issue.