SEC Consult Vulnerability Lab Security Advisory < 20140828-0 >
============================== ============================== ===========
title: Reflected Cross-Site Scripting
product: F5 BIG-IP
vulnerable version: <= 11.5.1
fixed version: > 11.6.0
impact: Medium
CVE number: CVE-2014-4023
homepage: https://f5.com/
found: 2014-07-07
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
============================== ============================== ===========
Vendor/product description:
- -----------------------------
"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance. From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agility—and ensures your applications
are fast, secure, and available."
URL: https://f5.com/products/big-ip
Vulnerability overview/description:
- ------------------------------ -----
BIG-IP suffers from a reflected Cross-Site Scripting vulnerability,
which allow an attacker to steal other users sessions, to impersonate other
users and to gain unauthorized access to the admin interface.
Proof of concept:
- -----------------
The following HTTP request triggers the vulnerability:
POST /tmui/dashboard/echo.jsp HTTP/1.1
Host: BIGIP
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 29
<script>alert('xss')</script>
The server does not properly encode user supplied information and returns it
to the user resulting in Cross-Site Scripting.
Vulnerable / tested versions:
- -----------------------------
More information can be found at:
https://support.f5.com/kb/en- us/solutions/public/15000/500/ sol15532.html
Vendor contact timeline:
- ------------------------
2014-07-08: Sending advisory and proof of concept exploit via encrypted
channel.
2014-07-09: Vendor confirms receipt of advisory. States that fix will be
released in the "next 6 weeks or so"
2014-07-24: Vendor provides CVE: CVE-2014-4023
2014-08-26: Vendor releases fixed version.
2014-08-28: SEC Consult releases a coordinated security advisory.
Solution:
- ---------
Update to the newest version.
More information can be found at:
https://support.f5.com/kb/en- us/solutions/public/15000/500/ sol15532.html
Workaround:
- -----------
No workaround available.
Advisory URL:
- -------------
https://www.sec-consult.com/ en/Vulnerability-Lab/ Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_ consult
Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com
==============================
title: Reflected Cross-Site Scripting
product: F5 BIG-IP
vulnerable version: <= 11.5.1
fixed version: > 11.6.0
impact: Medium
CVE number: CVE-2014-4023
homepage: https://f5.com/
found: 2014-07-07
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
==============================
Vendor/product description:
- -----------------------------
"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance. From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agility—and ensures your applications
are fast, secure, and available."
URL: https://f5.com/products/big-ip
Vulnerability overview/description:
- ------------------------------
BIG-IP suffers from a reflected Cross-Site Scripting vulnerability,
which allow an attacker to steal other users sessions, to impersonate other
users and to gain unauthorized access to the admin interface.
Proof of concept:
- -----------------
The following HTTP request triggers the vulnerability:
POST /tmui/dashboard/echo.jsp HTTP/1.1
Host: BIGIP
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 29
<script>alert('xss')</script>
The server does not properly encode user supplied information and returns it
to the user resulting in Cross-Site Scripting.
Vulnerable / tested versions:
- -----------------------------
More information can be found at:
https://support.f5.com/kb/en-
Vendor contact timeline:
- ------------------------
2014-07-08: Sending advisory and proof of concept exploit via encrypted
channel.
2014-07-09: Vendor confirms receipt of advisory. States that fix will be
released in the "next 6 weeks or so"
2014-07-24: Vendor provides CVE: CVE-2014-4023
2014-08-26: Vendor releases fixed version.
2014-08-28: SEC Consult releases a coordinated security advisory.
Solution:
- ---------
Update to the newest version.
More information can be found at:
https://support.f5.com/kb/en-
Workaround:
- -----------
No workaround available.
Advisory URL:
- -------------
https://www.sec-consult.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_
Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com