<<< Date Index >>>     <<< Thread Index >>>

S21Sec-035: F5 FirePass command execution vulnerability



##############################################################

                     - S21Sec Advisory -

##############################################################

    Title:   F5 FirePass command execution vulnerability
       ID:   S21SEC-035-en
Severity:   High - Intrusion
  History:   14.Feb.2007 Vulnerability discovered
             22.Feb.2007 Vendor contacted
    Scope:   Linux's shell Command Execution
Platforms:   Linux based Appliance      
   Author:   Leonardo Nve (lnve@xxxxxxxxxx)
      URL:   http://www.s21sec.com/avisos/s21sec-035-en.txt
  Release:   Public

[ SUMMARY ]

F5's FirePass SSL VPN appliance provides secure access to corporate applications and data using a standard web browser. Delivering outstanding performance, scalability, ease-of-use, and end- point security, FirePass helps increase the productivity of those working from home or on the road while keeping corporate data secure.

FirePass provides:

* Automatic detection of security compliant systems, preventing infection. * Automatic integration with the largest number of virus scanning and personal firewall solutions in the industry
          (over 100 different AV & Personal Firewall versions).
* Automatic protection from infected file uploads or email attachments. * Automatic re-routing and quarantine of infected or non- compliant systems to a self remediation network - reducing
          help desk calls.
* A secure workspace, preventing eavesdropping and theft of sensitive data. * Secure Login with a randomized key entry system, preventing keystroke logger snooping. * Full integration with the FirePass Visual Policy Editor. This enables the creation of custom template policies based on the endpoints accessing your network and your company's security profile.



[ AFFECTED VERSIONS ]

This vulnerability has been tested in F5 FirePass 4100.


[ DESCRIPTION ]

S21sec has discovered a vulnerability in a F5 FirePass SSL VPN script that allows the injection of Linux's shell command under some circunstances. The attacker doesn`t need to be logged in the system in order to trigger the exploit

The affected script is:

- my.activation.php3

The variable is:

- username


[ WORKAROUND ]

F5 has published a security advisory at https://tech.f5.com/home/ solutions/sol167.html Additionally, hotfix HF-75705-76003-1 has been issued for supported versions of FirePass. You may download this hotfix or later versions of the hotfix from the F5 Networks Downloads site (https://downloads.f5.com/esd/index.jsp).

[ ACKNOWLEDGMENTS ]

This vulnerability has been discovered and researched by:

- Leonardo Nve <lnve@xxxxxxxxxx> S21Sec

With thanks to:

- Alberto Moro <amoro@xxxxxxxxxx> S21Sec


[ REFERENCES ]

* F5 Firepass
  http://www.f5.com/products/FirePass/



* S21Sec
  http://www.s21sec.com