Applies To:

Show Versions Show Versions

sol13600: SSH vulnerability CVE-2012-1493
Security AdvisorySecurity Advisory

Original Publication Date: 06/06/2012
Updated Date: 06/26/2013

Description

A platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. The vulnerability is caused by a configuration error, and is not the result of an underlying SSH defect.

The following platforms are affected by this issue:

  • VIPRION B2100, B4100, and B4200
  • BIG-IP 520, 540, 1000, 2000, 2400, 5000, 5100, 1600, 3600, 3900, 6900, 8900, 8950, 11000, and 11050
  • BIG-IP Virtual Edition
  • Enterprise Manager 3000 and 4000

Note: Systems that are licensed to run in Appliance mode on BIG-IP 10.2.1-HF3 or later are not susceptible to this vulnerability. For more information about Appliance mode, refer to SOL12815: Overview of Appliance mode.

The only sign that this vulnerability may have been exploited on an affected system would be the appearance of unexpected root login messages in the /var/log/secure file. However, there is no way to tell from any specific login message whether it was the result of this vulnerability. Further, it is possible for a privileged account to eliminate traces of illicit activity by modifying the log files.

Neither a strong password policy nor remote authentication helps mitigate the issue. For information about protecting your system from exploitation, refer to the Recommended Action section below.

F5 would like to acknowledge Florent Daigniere of Matta Consulting for bringing this issue to our attention, and for following the highest standards of responsible disclosure.

Impact

Privileged (root) access may be granted to unauthenticated users.

Status

F5 Product Development has assigned ID 379600 to this vulnerability. To find out whether F5 has determined that your release is vulnerable, and to obtain information about releases or hotfixes that resolve the vulnerability, refer to the following table:

Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature
BIG-IP LTM 9.0.0 - 9.4.8-HF4
10.0.0 - 10.2.3-HF1
11.0.0 - 11.0.0-HF1
11.1.0 - 11.1.0-HF2
9.4.8-HF5 and later
10.2.4 and later
11.0.0-HF2 and later
11.1.0-HF3 and later
11.2.x
11.3.x
11.4.x
SSH via TCP/22 on any interface
BIG-IP GTM 9.2.2 - 9.4.8-HF4
10.0.0 - 10.2.3-HF1
11.0.0 - 11.0.0-HF1
11.1.0 - 11.1.0-HF2
9.4.8-HF5 and later
10.2.4 and later
11.0.0-HF2 and later
11.1.0-HF3 and later
11.2.x
11.3.x
11.4.x
SSH via TCP/22 on any interface
BIG-IP ASM 9.2.0 - 9.4.8-HF4
10.0.0 - 10.2.3-HF1
11.0.0 - 11.0.0-HF1
11.1.0 - 11.1.0-HF2
9.4.8-HF5 and later
10.2.4 and later
11.0.0-HF2 and later
11.1.0-HF3 and later
11.2.x
11.3.x
11.4.x
SSH via TCP/22 on any interface
BIG-IP Link Controller 9.2.2 - 9.4.8-HF4
10.0.0 - 10.2.3-HF1
11.0.0 - 11.0.0-HF1
11.1.0 - 11.1.0-HF2
9.4.8-HF5 and later
10.2.4 and later
11.0.0-HF2 and later
11.1.0-HF3 and later
11.2.x
11.3.x
SSH via TCP/22 on any interface
BIG-IP WebAccelerator None
9.4.x
10.x
11.x
None
BIG-IP PSM 9.4.5 - 9.4.8-HF4
10.0.0 - 10.2.3-HF1
11.0.0 - 11.0.0-HF1
11.1.0 - 11.1.0-HF2
9.4.8-HF5 and later
10.2.4 and later
11.0.0-HF2 and later
11.1.0-HF3 and later
11.2.x
11.3.x
11.4.x
SSH via TCP/22 on any interface
BIG-IP WOM 10.0.0 - 10.2.3-HF1
11.0.0 - 11.0.0-HF1
11.1.0 - 11.1.0-HF2
10.2.4 and later
11.0.0-HF2 and later
11.1.0-HF3 and later
11.2.x
11.3.x
SSH via TCP/22 on any interface
BIG-IP APM 10.1.0 - 10.2.3-HF1
11.0.0 - 11.0.0-HF1
11.1.0 - 11.1.0-HF2
10.2.4 and later
11.0.0-HF2 and later
11.1.0-HF3 and later
11.2.x
11.3.x
11.4.x
SSH via TCP/22 on any interface
BIG-IP Edge Gateway
10.1.0 - 10.2.3-HF1
11.0.0 - 11.0.0-HF1
11.1.0 - 11.1.0-HF2
10.2.4 and later
11.0.0-HF2 and later
11.1.0-HF3 and later
11.2.x
11.3.x
11.4.x
SSH via TCP/22 on any interface
BIG-IP Analytics
11.0.0 - 11.0.0-HF1
11.1.0 - 11.1.0-HF2
11.0.0-HF2 and later
11.1.0-HF3 and later
11.2.x
11.3.x
11.4.x
SSH via TCP/22 on any interface
BIG-IP AFM None 11.3.x
11.4.x
None
BIG-IP PEM None 11.3.x
11.4.x
None
BIG-IP AAM None 11.4.x None
FirePass None 6.x
7.x
None
Enterprise Manager 1.x
2.0.x
2.1.0 - 2.1.0-HF1
2.2.0 (no HF)
2.3.0 - 2.3.0-HF2
2.1.0-HF2 and later
2.2.0-HF1 and later
2.3.0-HF3 and later
3.x
SSH via TCP/22 on any interface
ARX None
5.x
6.x
None

Recommended action

A number of options exist to address this vulnerability. Perform one or more of the following procedures, as appropriate, for your situation:

Upgrading to a non-vulnerable version

To eliminate this vulnerability, upgrade to a release that is not affected. If an unaffected release is not available, apply the hotfix that is available for your version.

Reconfiguring SSH access

If you are unable to upgrade or apply a hotfix immediately, you can safely reconfigure the system by performing the following procedure:

Impact of recommended action: None. The SSH reconfiguration tool does not affect traffic flowing through the BIG-IP system. The change made by the Configuration utility takes effect immediately, and there is no need to restart any service, including SSH.

Important: Because the configuration error that creates this vulnerability would be reintroduced by reinstalling an affected software version, F5 regards this procedure as a temporary workaround and recommends that you upgrade to a release that contains the supported fix as soon as possible.

  1. From an Internet connected workstation, browse to https:/downloads.f5.com/.
  2. Click Find a Download.
  3. From the BIG-IP Product Family list, select the BIG-IP product line.
  4. From the resulting list, select the product container named ID379600.
  5. If the End User Software License agreement appears, accept it.
  6. Download the id379600-fix.gz binary, the id379600-fix.gz.md5 checksum file, and optionally, the id379600-fix.README file.
  7. Upload the files to a working directory, such as /var/tmp, on the affected BIG-IP/VIPRION system. For more information about uploading files to a BIG-IP system, refer to SOL175: Transferring files to or from an F5 system.
  8. Log in to the BIG-IP/VIPRION command line as root (or any other user with Advanced Shell access and Role set to Administrator).
  9. Change to the directory where you uploaded the files.
  10. Verify the checksum of the downloaded file by typing the following command:

    md5sum --check id379600-fix.gz.md5

    The command should display the following output:

    id379600-fix.gz: OK

    Important: If the checksum verification fails, the id379600-fix.gz file was corrupted during transfer and must be downloaded again.

  11. Unzip the id379600-fix.gz file by typing the following command:

    gunzip id379600-fix.gz

  12. Set permissions on the unzipped binary file by typing the following command:

    chmod +x id379600-fix

  13. Run the utility by typing the following command:

    ./id379600-fix

  14. Once the system has been successfully reconfigured, the script displays the following output:

    [!] ID379600 Livepatch
    [+] ID379600 mitigated

    Important: If the script produces any other output, open a case with F5 Technical Support, including any output that was displayed.

Important: The script patches only the current running slot. If there are other slots on the BIG-IP system that are installed with vulnerable versions, that slot will continue to be vulnerable until patched. Each slot must be patched individually.

Important: In the case of high availability systems, each member of a pair, cluster, or group must be patched individually by following the process above. The reconfigured system files will not be synced to a peer device.

You can further verify that your system has been successfully reconfigured by uploading a qkview file to BIG-IP iHealth. If the system has been successfully reconfigured, BIG-IP iHealth will list Heuristic H386652 on the Diagnostics > Identified Low screen. If the system has not been successfully reconfigured, BIG-IP iHealth will list Heuristic H386652 on the Diagnostics > Identified > High screen.

Mitigating the risk of exploitation

In addition to upgrading or patching the system, you can mitigate the risk of this vulnerability by using any or all of the following approaches:

Recovering a compromised system

If you believe your system has been compromised, F5 recommends that you perform a clean installation of the system and re-build the configuration from scratch. This will ensure that the system does not contain any compromised configuration and/or exploits.

Important: F5 recommends that you do not use any existing UCS archives to re-build the configuration unless you have verified that the UCS archive does not contain compromised configuration.

If a compromised system is part of a BIG-IP GTM sync group, you should assume all members of the sync group have been compromised. To prevent propagating a compromised configuration across the sync group as you recover the individual affected systems, break the sync group by performing a clean installation of each member, re-build the configuration from scratch on one of the reinstalled systems, and re-add the remaining reinstalled systems to the sync group.

Note: You can use the gtm_add utility to re-add a system to the sync group. For information about the gtm_add utility, refer to SOL13312: Overview of the BIG-IP GTM big3d_install, bigip_add, and gtm_add utilities (11.x) and SOL8195: Overview of the BIG-IP GTM big3d_install, bigip_add, and gtm_add utilities (9.x - 10.x).

To perform a clean installation of the system, refer to the following articles, appropriate for your version:

Impact of recommended action: The system will be unavailable until the configuration is manually re-built.

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)