S21Sec-035: F5 FirePass command execution vulnerability
##############################################################
- S21Sec Advisory -
##############################################################
Title: F5 FirePass command execution vulnerability
ID: S21SEC-035-en
Severity: High - Intrusion
History: 14.Feb.2007 Vulnerability discovered
22.Feb.2007 Vendor contacted
Scope: Linux's shell Command Execution
Platforms: Linux based Appliance
Author: Leonardo Nve (lnve@xxxxxxxxxx)
URL: http://www.s21sec.com/avisos/s21sec-035-en.txt
Release: Public
[ SUMMARY ]
F5's FirePass SSL VPN appliance provides secure access to corporate
applications and data using a standard web browser.
Delivering outstanding performance, scalability, ease-of-use, and end-
point security, FirePass helps increase the productivity
of those working from home or on the road while keeping corporate
data secure.
FirePass provides:
* Automatic detection of security compliant systems, preventing
infection.
* Automatic integration with the largest number of virus
scanning and personal firewall solutions in the industry
(over 100 different AV & Personal Firewall versions).
* Automatic protection from infected file uploads or email
attachments.
* Automatic re-routing and quarantine of infected or non-
compliant systems to a self remediation network - reducing
help desk calls.
* A secure workspace, preventing eavesdropping and theft of
sensitive data.
* Secure Login with a randomized key entry system, preventing
keystroke logger snooping.
* Full integration with the FirePass Visual Policy Editor. This
enables the creation of custom
template policies based on the endpoints accessing your network
and your company's security profile.
[ AFFECTED VERSIONS ]
This vulnerability has been tested in F5 FirePass 4100.
[ DESCRIPTION ]
S21sec has discovered a vulnerability in a F5 FirePass SSL VPN
script that allows the injection of Linux's shell command under some
circunstances.
The attacker doesn`t need to be logged in the system in order to
trigger the exploit
The affected script is:
- my.activation.php3
The variable is:
- username
[ WORKAROUND ]
F5 has published a security advisory at https://tech.f5.com/home/
solutions/sol167.html
Additionally, hotfix HF-75705-76003-1 has been issued for supported
versions of FirePass.
You may download this hotfix or later versions of the hotfix from the
F5 Networks Downloads site (https://downloads.f5.com/esd/index.jsp).
[ ACKNOWLEDGMENTS ]
This vulnerability has been discovered and researched by:
- Leonardo Nve <lnve@xxxxxxxxxx> S21Sec
With thanks to:
- Alberto Moro <amoro@xxxxxxxxxx> S21Sec
[ REFERENCES ]
* F5 Firepass
http://www.f5.com/products/FirePass/
* S21Sec
http://www.s21sec.com