SEC Consult SA-20140828-0 :: F5 BIG-IP Reflected Cross-Site Scripting


-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20140828-0 > ======================================================================= title: Reflected Cross-Site Scripting product: F5 BIG-IP vulnerable version: <= 11.5.1 fixed version: > 11.6.0 impact: Medium CVE number: CVE-2014-4023 homepage: https://f5.com/ found: 2014-07-07 by: Stefan Viehbock SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: - ----------------------------- "The BIG-IP product suite is a system of application delivery services that work together on the same best-in-class hardware platform or software virtual instance. From load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available." URL: https://f5.com/products/big-ip Vulnerability overview/description: - ----------------------------------- BIG-IP suffers from a reflected Cross-Site Scripting vulnerability, which allow an attacker to steal other users sessions, to impersonate other users and to gain unauthorized access to the admin interface. Proof of concept: - ----------------- The following HTTP request triggers the vulnerability: POST /tmui/dashboard/echo.jsp HTTP/1.1 Host: BIGIP Cookie: BIGIPAuthCookie=*VALID_COOKIE* Content-Length: 29 <script>alert('xss')</script> The server does not properly encode user supplied information and returns it to the user resulting in Cross-Site Scripting. Vulnerable / tested versions: - ----------------------------- More information can be found at: https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html Vendor contact timeline: - ------------------------ 2014-07-08: Sending advisory and proof of concept exploit via encrypted channel. 2014-07-09: Vendor confirms receipt of advisory. States that fix will be released in the "next 6 weeks or so" 2014-07-24: Vendor provides CVE: CVE-2014-4023 2014-08-26: Vendor releases fixed version. 2014-08-28: SEC Consult releases a coordinated security advisory. Solution: - --------- Update to the newest version. More information can be found at: https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html Workaround: - ----------- No workaround available. Advisory URL: - ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested in working with the experts of SEC Consult? Write to career@sec-consult.com EOF Stefan Viehbock / @2014 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJT/wVOAAoJECyFJyAEdlkKq9cIAKX9MEOpw8p9i8KWZXmkBiBr S3n9YPNk6bbGbm+YfNCvXvtdSTPhh4I1wBY/WYWENpnQrwdiJ3couS5f2/DQzHTP uCROxpmtxY1bokMS+ZHOPeGECk8RFr03kBZtGrF2cdGLWzBv7l+CnmopS8lnDVsw 44/R5hj3OdZxhD3btFLXss1RPbUDU1vGV9KpDgJmsssS5pzvG9I2T9xGibd0zBIA WGA5jjGFitfQwDaxvqoocKgmBG2o3nQpdCShlaRiFklVJQYT1J+w/TWA1OOWZmxs 91m6C9fqAqgeIjmFSOE5c/rpiw7MdzH46yUzoVhbqm6wKcngLDDmZDuqPwaqH18= =RsbU -----END PGP SIGNATURE-----