SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   F5 FirePass Vendors:   F5 Networks
F5 FirePass Input Validation Flaw in 'my.activation.php3' Permits Remote Command Execution
SecurityTracker Alert ID:  1018190
SecurityTracker URL:  http://securitytracker.com/id/1018190
CVE Reference:   CVE-2007-3097   (Links to External Site)
Updated:  May 12 2008
Original Entry Date:  Jun 5 2007
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4100
Description:   A vulnerability was reported in F5 FirePass. A remote user can execute arbitrary code on the target system.

A remote user can send a specially crafted 'username' value to the 'my.activation.php3' script to execute arbitrary commands on the target system. The code will run with the privileges of the target service.

The vendor was notified on February 22, 2007.

Leonardo Nve of S21sec discovered this vulnerability.

The original advisory is available at:

http://www.s21sec.com/avisos/s21sec-035-en.txt

Impact:   A remote user can execute arbitrary commands on the target system.
Solution:   The vendor has reportedly issued a hotfix (HF-75705-76003-1).

The F5 advisory is not publicly available.

Vendor URL:  www.f5.com/products/FirePass/ (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  S21Sec-035: F5 FirePass command execution vulnerability

##############################################################

                      - S21Sec Advisory -

##############################################################

     Title:   F5 FirePass command execution vulnerability
        ID:   S21SEC-035-en
Severity:   High - Intrusion
   History:   14.Feb.2007 Vulnerability discovered
              22.Feb.2007 Vendor contacted
     Scope:   Linux's shell Command Execution
Platforms:   Linux based Appliance	
    Author:   Leonardo Nve (lnve@s21sec.com)
       URL:   http://www.s21sec.com/avisos/s21sec-035-en.txt
   Release:   Public

[ SUMMARY ]

F5's FirePass SSL VPN appliance provides secure access to corporate  
applications and data using a standard web browser.
Delivering outstanding performance, scalability, ease-of-use, and end- 
point security, FirePass helps increase the productivity
of those working from home or on the road while keeping corporate  
data secure.

FirePass provides:

     * Automatic detection of security compliant systems, preventing  
infection.
     * Automatic integration with the largest number of virus  
scanning and personal firewall solutions in the industry
	  (over 100 different AV & Personal Firewall versions).
     * Automatic protection from infected file uploads or email  
attachments.
     * Automatic re-routing and quarantine of infected or non- 
compliant systems to a self remediation network - reducing
	  help desk calls.
     * A secure workspace, preventing eavesdropping and theft of  
sensitive data.
     * Secure Login with a randomized key entry system, preventing  
keystroke logger snooping.
     * Full integration with the FirePass Visual Policy Editor. This  
enables the creation of custom
	  template policies based on the endpoints accessing your network  
and your company's security profile.



[ AFFECTED VERSIONS ]

This vulnerability has been tested in F5 FirePass 4100.


[ DESCRIPTION ]

S21sec has discovered a vulnerability in a F5 FirePass SSL VPN   
script that allows the injection of Linux's shell command under some  
circunstances.
The attacker doesn`t need to be logged in the system in order to  
trigger the exploit

The affected script is:

- my.activation.php3

The variable is:

- username


[ WORKAROUND ]

F5 has published a security advisory at https://tech.f5.com/home/ 
solutions/sol167.html
Additionally, hotfix HF-75705-76003-1 has been issued for supported  
versions of FirePass.
You may download this hotfix or later versions of the hotfix from the  
F5 Networks Downloads site (https://downloads.f5.com/esd/index.jsp).

[ ACKNOWLEDGMENTS ]

This vulnerability has been discovered and researched by:

- Leonardo Nve <lnve@s21sec.com> S21Sec

With thanks to:

- Alberto Moro <amoro@s21sec.com> S21Sec


[ REFERENCES ]

* F5 Firepass
   http://www.f5.com/products/FirePass/



* S21Sec
   http://www.s21sec.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC