SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   F5 BIG-IP Vendors:   F5 Networks
F5 BIG-IP Input Validation Flaw in 'tmui/dashboard/echo.jsp' Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1030776
SecurityTracker URL:  http://securitytracker.com/id/1030776
CVE Reference:   CVE-2014-4023   (Links to External Site)
Date:  Aug 29 2014
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 11.5.1 and prior versions
Description:   A vulnerability was reported in F5 BIG-IP. A remote user can conduct cross-site scripting attacks.

The 'tmui/dashboard/echo.jsp' script does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted request that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the BIG-IP interface and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The BIG-IP Configuration utility and the Enterprise Manager Configuration utility are affected.

The vendor has assigned ID 470796 (for BIG-IP) and ID 476101 (for Enterprise Manager) to this vulnerability.

The vendor was notified on July 8, 2014.

The original advisory is available at:

https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

Stefan Viehbock of SEC Consult Vulnerability Lab reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the BIG-IP interface, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (11.6.0).

The vendor's advisory is available at:

http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html?sr=39955681

Vendor URL:  support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html?sr=39955681 (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  SEC Consult SA-20140828-0 :: F5 BIG-IP Reflected Cross-Site Scripting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20140828-0 >
=======================================================================
              title: Reflected Cross-Site Scripting
            product: F5 BIG-IP
 vulnerable version: <= 11.5.1
      fixed version: > 11.6.0
             impact: Medium
         CVE number: CVE-2014-4023
           homepage: https://f5.com/
              found: 2014-07-07
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor/product description:
- -----------------------------
"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance.  From load balancing and service offloading to acceleration and
are fast, secure, and available."

URL: https://f5.com/products/big-ip


Vulnerability overview/description:
- -----------------------------------
BIG-IP suffers from a reflected Cross-Site Scripting vulnerability,
which allow an attacker to steal other users sessions, to impersonate other
users and to gain unauthorized access to the admin interface.


Proof of concept:
- -----------------
The following HTTP request triggers the vulnerability:

POST /tmui/dashboard/echo.jsp HTTP/1.1
Host: BIGIP
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 29

<script>alert('xss')</script>

The server does not properly encode user supplied information and returns it
to the user resulting in Cross-Site Scripting.


Vulnerable / tested versions:
- -----------------------------
More information can be found at:
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html


Vendor contact timeline:
- ------------------------
2014-07-08: Sending advisory and proof of concept exploit via encrypted
            channel.
2014-07-09: Vendor confirms receipt of advisory. States that fix will be
            released in the "next 6 weeks or so"
2014-07-24: Vendor provides CVE: CVE-2014-4023
2014-08-26: Vendor releases fixed version.
2014-08-28: SEC Consult releases a coordinated security advisory.


Solution:
- ---------
Update to the newest version.

More information can be found at:
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html


Workaround:
- -----------
No workaround available.


Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJT/wVOAAoJECyFJyAEdlkKq9cIAKX9MEOpw8p9i8KWZXmkBiBr
S3n9YPNk6bbGbm+YfNCvXvtdSTPhh4I1wBY/WYWENpnQrwdiJ3couS5f2/DQzHTP
uCROxpmtxY1bokMS+ZHOPeGECk8RFr03kBZtGrF2cdGLWzBv7l+CnmopS8lnDVsw
44/R5hj3OdZxhD3btFLXss1RPbUDU1vGV9KpDgJmsssS5pzvG9I2T9xGibd0zBIA
WGA5jjGFitfQwDaxvqoocKgmBG2o3nQpdCShlaRiFklVJQYT1J+w/TWA1OOWZmxs
91m6C9fqAqgeIjmFSOE5c/rpiw7MdzH46yUzoVhbqm6wKcngLDDmZDuqPwaqH18=
=RsbU
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC