Digit Oktavianto Web Log

Catatan Sampah si Digit

F5 BigIP Root Authentication Bypass Vulnerability

| Comments

Last night i got the information from my colleague @159k in Email about F5 Security Advisory. Matta Security Consulting found a vulnerability that affected in some F5 products. This vulnerability lead us to gain the root access since this vulnerability allow unauthenticated users to bypass authentication and login as the ‘root’ user on the device. The good news is Metsaploit Team already release new module to exploit this vulnerability (Haha.. I dont know if this is a good news or bad news. xD).

Yeahh.. After updateing my MSF.. You can see the picture below..(New module : f5_bigip_known_privkey.rb)

Okay.. I will copy paste the security advisory from Matta Consulting, related Link for patch, and also link from rapid7 below :

Matta Consulting - Matta Advisory

https://www.trustmatta.com

F5 BIG-IP remote root authentication bypass Vulnerability

Advisory ID: MATTA-2012-002

CVE reference: CVE-2012-1493

Affected platforms: BIG-IP platforms without SCCP

Version: 11.x 10.x 9.x

Date: 2012-February-16

Security risk: High

Vulnerability: F5 BIG-IP remote root authentication bypass

Researcher: Florent Daigniere

Vendor Status: Notified / Patch available

Vulnerability Disclosure Policy:

https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt

Permanent URL: https://www.trustmatta.com/advisories/MATTA-2012-002.txt

Description :

Vulnerable BIG-IP installations allow unauthenticated users to bypass authentication and login as the ‘root’ user on the device.

The SSH private key corresponding to the following public key is public and present on all vulnerable appliances:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvIhC5skTzxyHif/7iy3yhxuK6/OB13hjPqrskogkYFrcW8OK4VJT+5+Fx7wd4sQCnVn8rNqahw/x6sfcOMDI/Xvn4yKU4t8TnYf2MpUVr4ndz39L5Ds1n7Si1m2suUNxWbKv58I8+NMhlt2ITraSuTU0NGymWOc8+LNi+MHXdLk= SCCP Superuser

Its fingerprint is: 71:3a:b0:18:e2:6c:41:18:4e:56:1e:fd:d2:49:97:66


Impact

If successful, a malicious third party can get full control of the device with little to no effort. The Attacker might reposition and launch an attack against other parts of the target infrastructure from there.

Version affected:

BIG-IP LTM 11.1.0, 11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.6.1, 9.6.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5, 9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4.0, 9.3.1, 9.3.0, 9.2.5, 9.2.4, 9.2.3, 9.2.2, 9.2.0, 9.1.3, 9.1.2, 9.1.1, 9.1.0, 9.0.5, 9.0.4, 9.0.3, 9.0.2, 9.0.1, 9.0.0

BIG-IP ASM 11.1.0, 11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5, 9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4.0, 9.3.1, 9.3.0, 9.2.5, 9.2.4, 9.2.3, 9.2.2, 9.2.0

BIG-IP GTM 11.1.0, 11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5, 9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4.0, 9.3.1, 9.3.0, 9.2.5, 9.2.4, 9.2.3, 9.2.2

BIG-IP PSM 11.1.0, 11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5

BIG-IP Link Controller 11.1.0, 11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5, 9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4.0, 9.3.1, 9.3.0, 9.2.5, 9.2.4, 9.2.3, 9.2.2

BIG-IP WebAccelerator 11.1.0, 11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5, 9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4.0

BIG-IP APM 11.1.0, 11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0

BIG-IP WOM 11.1.0, 11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0, 10.0.1, 10.0.0

BIG-IP Edge Gateway 11.1.0, 11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0

FirePass 7.0.0, 6.1.0, 6.0.3, 6.0.2, 6.0.1, 6.0.0

ARX 6.1.1, 6.1.0, 6.0.0, 5.3.1, 5.2.2, 5.2.0, 5.1.9, 5.1.7, 5.1.5, 5.1.0, 5.0.7, 5.0.6, 5.0.5, 5.0.1, 5.0.0

BIG-IP Analytics 11.1.0, 11.0.0

Recommended action

A number of options exist to address this vulnerability. Perform one or more of the following procedures, as appropriate, for your situation:

  • Upgrading to a non-vulnerable version
  • Reconfiguring SSH access
  • Mitigating the risk of exploitation

Upgrading to a non-vulnerable version

To eliminate this vulnerability, upgrade to a release that is not affected. If an unaffected release is not available, apply the hotfix that is available for your version.

Reconfiguring SSH access

If you are unable to upgrade or apply a hotfix immediately, you can safely reconfigure the system by performing the following procedure:

Impact of recommended action: None. The SSH reconfiguration tool does not affect traffic flowing through the BIG-IP system. The change made by the Configuration utility takes effect immediately, and there is no need to restart any service, including SSH.

Important: Because the configuration error that creates this vulnerability would be reintroduced by reinstalling an affected software version, F5 regards this procedure as a temporary workaround and recommends upgrading to a release that contains the supported fix as soon as possible.

  1. From an Internet connected workstation, browse to http:/downloads.f5.com/.

  2. Click Find a Download.

  3. From the BIG-IP Product Family list, select the BIG-IP product line.

  4. From the resulting list, select the product container named ID379600.

  5. Accept the End User Software License agreement if it appears.

  6. Download the id379600-fix.gz binary, the id379600-fix.gz.md5 checksum file, and optionally, the id379600-fix.README file.

  7. Upload the files to a working directory, such as /var/tmp, on the affected BIG-IP/VIPRION system.

  8. Log in to the BIG-IP/VIPRION command line as root (or any other user with Advanced Shell access and Role set to Administrator).

  9. Change to the directory to which you uploaded the files.

  10. Calculate the checksum of the downloaded binaryl file by typing the following command: md5sum id379600-fix.gz

  11. Display the expected checksum by typing the following command: cat id379600-fix.gz.md5

  12. Compare the output of the commands from Step 10 and Step 11; if they are identical, continue to Step 13. Important: If the checksum values do not match, the id379600-fix.gz file was corrupted during transfer and must be downloaded again.

  13. Set permissions on the binary file by typing the following command: chmod +x id379600-fix

  14. Run the utility by typing the following command: ./id379600-fix

  15. Once the system has been successfully reconfigured, the script displays the following output: [!] ID379600 Livepatch [+] ID379600 mitigated

  16. Important: If the script produces any other output and the system is not licensed for Appliance mode, open a case with F5 Technical Support, including any output that was displayed. The script will not run as expected on Appliance mode systems, which are not affected by this vulnerability.


Mitigating the risk of exploitation

In addition to upgrading or patching the system, you can mitigate the risk of this vulnerability by using any or all of the following approaches:

  • Limit SSH administrative access to the management interface by ensuring that the port lockdown feature is configured to disallow port 22 for all self IP addresses. For more information, refer to [SOL13250] (http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13250.html): Overview of port lockdown behavior (10.x - 11.x) or [SOL7317] <http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7317.html: Overview of port lockdown behavior (9.x).

  • Expose the management interface on only trusted networks.

  • Implement appropriate external network filters, such as firewalling, to protect the management interface from unintended access.

  • Restrict SSH access to affected systems by configuring specific allowed IP address ranges. To do so, follow the procedures in [SOL5380] (http://support.f5.com/kb/en-us/solutions/public/5000/300/sol5380.html): Specifying allowable IP ranges for SSH access. Important: A strong password policy or external authentication does not help mitigate the risk from this issue.

More Information and Mitigation :

https://www.trustmatta.com/advisories/MATTA-2012-002.txt

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1493

https://community.rapid7.com/community/metasploit/blog/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploit

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb

http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13600.html

Comments