Bugtraq mailing list archives
S21Sec-035: F5 FirePass command execution vulnerability
From: S21sec Labs <labs () s21sec com>
Date: Mon, 4 Jun 2007 11:22:48 +0200
############################################################## - S21Sec Advisory - ############################################################## Title: F5 FirePass command execution vulnerability ID: S21SEC-035-en Severity: High - Intrusion History: 14.Feb.2007 Vulnerability discovered 22.Feb.2007 Vendor contacted Scope: Linux's shell Command Execution Platforms: Linux based Appliance Author: Leonardo Nve (lnve () s21sec com) URL: http://www.s21sec.com/avisos/s21sec-035-en.txt Release: Public [ SUMMARY ]F5's FirePass SSL VPN appliance provides secure access to corporate applications and data using a standard web browser. Delivering outstanding performance, scalability, ease-of-use, and end- point security, FirePass helps increase the productivity of those working from home or on the road while keeping corporate data secure.
FirePass provides:* Automatic detection of security compliant systems, preventing infection. * Automatic integration with the largest number of virus scanning and personal firewall solutions in the industry
(over 100 different AV & Personal Firewall versions).* Automatic protection from infected file uploads or email attachments. * Automatic re-routing and quarantine of infected or non- compliant systems to a self remediation network - reducing
help desk calls.* A secure workspace, preventing eavesdropping and theft of sensitive data. * Secure Login with a randomized key entry system, preventing keystroke logger snooping. * Full integration with the FirePass Visual Policy Editor. This enables the creation of custom template policies based on the endpoints accessing your network and your company's security profile.
[ AFFECTED VERSIONS ] This vulnerability has been tested in F5 FirePass 4100. [ DESCRIPTION ]S21sec has discovered a vulnerability in a F5 FirePass SSL VPN script that allows the injection of Linux's shell command under some circunstances. The attacker doesn`t need to be logged in the system in order to trigger the exploit
The affected script is: - my.activation.php3 The variable is: - username [ WORKAROUND ]F5 has published a security advisory at https://tech.f5.com/home/ solutions/sol167.html Additionally, hotfix HF-75705-76003-1 has been issued for supported versions of FirePass. You may download this hotfix or later versions of the hotfix from the F5 Networks Downloads site (https://downloads.f5.com/esd/index.jsp).
[ ACKNOWLEDGMENTS ] This vulnerability has been discovered and researched by: - Leonardo Nve <lnve () s21sec com> S21Sec With thanks to: - Alberto Moro <amoro () s21sec com> S21Sec [ REFERENCES ] * F5 Firepass http://www.f5.com/products/FirePass/ * S21Sec http://www.s21sec.com
Current thread:
- S21Sec-035: F5 FirePass command execution vulnerability S21sec Labs (Jun 04)