BugTraq
S21Sec-035: F5 FirePass command execution vulnerability Jun 04 2007 09:22AM
S21sec Labs (labs s21sec com)
##############################################################

- S21Sec Advisory -

##############################################################

Title: F5 FirePass command execution vulnerability
ID: S21SEC-035-en
Severity: High - Intrusion
History: 14.Feb.2007 Vulnerability discovered
22.Feb.2007 Vendor contacted
Scope: Linux's shell Command Execution
Platforms: Linux based Appliance
Author: Leonardo Nve (lnve (at) s21sec (dot) com [email concealed])
URL: http://www.s21sec.com/avisos/s21sec-035-en.txt
Release: Public

[ SUMMARY ]

F5's FirePass SSL VPN appliance provides secure access to corporate
applications and data using a standard web browser.
Delivering outstanding performance, scalability, ease-of-use, and end-
point security, FirePass helps increase the productivity
of those working from home or on the road while keeping corporate
data secure.

FirePass provides:

* Automatic detection of security compliant systems, preventing
infection.
* Automatic integration with the largest number of virus
scanning and personal firewall solutions in the industry
(over 100 different AV & Personal Firewall versions).
* Automatic protection from infected file uploads or email
attachments.
* Automatic re-routing and quarantine of infected or non-
compliant systems to a self remediation network - reducing
help desk calls.
* A secure workspace, preventing eavesdropping and theft of
sensitive data.
* Secure Login with a randomized key entry system, preventing
keystroke logger snooping.
* Full integration with the FirePass Visual Policy Editor. This
enables the creation of custom
template policies based on the endpoints accessing your network
and your company's security profile.

[ AFFECTED VERSIONS ]

This vulnerability has been tested in F5 FirePass 4100.

[ DESCRIPTION ]

S21sec has discovered a vulnerability in a F5 FirePass SSL VPN
script that allows the injection of Linux's shell command under some
circunstances.
The attacker doesn`t need to be logged in the system in order to
trigger the exploit

The affected script is:

- my.activation.php3

The variable is:

- username

[ WORKAROUND ]

F5 has published a security advisory at https://tech.f5.com/home/
solutions/sol167.html
Additionally, hotfix HF-75705-76003-1 has been issued for supported
versions of FirePass.
You may download this hotfix or later versions of the hotfix from the
F5 Networks Downloads site (https://downloads.f5.com/esd/index.jsp).

[ ACKNOWLEDGMENTS ]

This vulnerability has been discovered and researched by:

- Leonardo Nve <lnve (at) s21sec (dot) com [email concealed]> S21Sec

With thanks to:

- Alberto Moro <amoro (at) s21sec (dot) com [email concealed]> S21Sec

[ REFERENCES ]

* F5 Firepass
http://www.f5.com/products/FirePass/

* S21Sec
http://www.s21sec.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus