AskF5 Knowledge Base
- Home
- SOL13600
Applies To:
Show Versions
sol13600: SSH vulnerability CVE-2012-1493
Security Advisory
Original Publication Date: 06/06/2012
Updated Date: 03/24/2013
Description
A platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. The vulnerability is caused by a configuration error, and is not the result of an underlying SSH defect.
The following platforms are affected by this issue:
- VIPRION B2100, B4100, and B4200
- BIG-IP 520, 540, 1000, 2000, 2400, 5000, 5100, 1600, 3600, 3900, 6900, 8900, 8950, 11000, and 11050
- BIG-IP Virtual Edition
- Enterprise Manager 3000 and 4000
Note: Systems that are licensed to run in Appliance mode on BIG-IP 10.2.1-HF3 or later are not susceptible to this vulnerability. For more information about Appliance mode, refer to SOL12815: Overview of Appliance mode.
The only sign that this vulnerability may have been exploited on an affected system would be the appearance of unexpected root login messages in the /var/log/secure file. However, there is no way to tell from any specific login message whether it was the result of this vulnerability. Further, it is possible for a privileged account to eliminate traces of illicit activity by modifying the log files.
Neither a strong password policy nor remote authentication helps mitigate the issue. For information about protecting your system from exploitation, refer to the Recommended Action section below.
F5 would like to acknowledge Florent Daigniere of Matta Consulting for bringing this issue to our attention, and for following the highest standards of responsible disclosure.
Impact
Privileged (root) access may be granted to unauthenticated users.
Status
F5 Product Development has assigned ID 379600 to this vulnerability. To find out whether F5 has determined that your release is vulnerable, and to obtain information about releases or hotfixes that resolve the vulnerability, refer to the following table:
| Product | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature |
| BIG-IP LTM | 9.0.0 - 9.4.8-HF4 10.0.0 - 10.2.3-HF1 11.0.0 - 11.0.0-HF1 11.1.0 - 11.1.0-HF2 |
9.4.8-HF5 and later 10.2.4 and later 11.0.0-HF2 and later 11.1.0-HF3 and later 11.2.x 11.3.x |
SSH via TCP/22 on any interface |
| BIG-IP GTM | 9.2.2 - 9.4.8-HF4 10.0.0 - 10.2.3-HF1 11.0.0 - 11.0.0-HF1 11.1.0 - 11.1.0-HF2 |
9.4.8-HF5 and later 10.2.4 and later 11.0.0-HF2 and later 11.1.0-HF3 and later 11.2.x 11.3.x |
SSH via TCP/22 on any interface |
| BIG-IP ASM | 9.2.0 - 9.4.8-HF4 10.0.0 - 10.2.3-HF1 11.0.0 - 11.0.0-HF1 11.1.0 - 11.1.0-HF2 |
9.4.8-HF5 and later 10.2.4 and later 11.0.0-HF2 and later 11.1.0-HF3 and later 11.2.x 11.3.x |
SSH via TCP/22 on any interface |
| BIG-IP Link Controller | 9.2.2 - 9.4.8-HF4 10.0.0 - 10.2.3-HF1 11.0.0 - 11.0.0-HF1 11.1.0 - 11.1.0-HF2 |
9.4.8-HF5 and later 10.2.4 and later 11.0.0-HF2 and later 11.1.0-HF3 and later 11.2.x 11.3.x |
SSH via TCP/22 on any interface |
| BIG-IP WebAccelerator | None |
9.4.x 10.x 11.x |
None |
| BIG-IP PSM | 9.4.5 - 9.4.8-HF4 10.0.0 - 10.2.3-HF1 11.0.0 - 11.0.0-HF1 11.1.0 - 11.1.0-HF2 |
9.4.8-HF5 and later 10.2.4 and later 11.0.0-HF2 and later 11.1.0-HF3 and later 11.2.x 11.3.x |
SSH via TCP/22 on any interface |
| BIG-IP WOM | 10.0.0 - 10.2.3-HF1 11.0.0 - 11.0.0-HF1 11.1.0 - 11.1.0-HF2 |
10.2.4 and later 11.0.0-HF2 and later 11.1.0-HF3 and later 11.2.x 11.3.x |
SSH via TCP/22 on any interface |
| BIG-IP APM | 10.1.0 - 10.2.3-HF1 11.0.0 - 11.0.0-HF1 11.1.0 - 11.1.0-HF2 |
10.2.4 and later 11.0.0-HF2 and later 11.1.0-HF3 and later 11.2.x 11.3.x |
SSH via TCP/22 on any interface |
| BIG-IP Edge Gateway |
10.1.0 - 10.2.3-HF1 11.0.0 - 11.0.0-HF1 11.1.0 - 11.1.0-HF2 |
10.2.4 and later 11.0.0-HF2 and later 11.1.0-HF3 and later 11.2.x 11.3.x |
SSH via TCP/22 on any interface |
| BIG-IP Analytics |
11.0.0 - 11.0.0-HF1 11.1.0 - 11.1.0-HF2 |
11.0.0-HF2 and later 11.1.0-HF3 and later 11.2.x 11.3.x |
SSH via TCP/22 on any interface |
| BIG-IP AFM | None | 11.3.x | None |
| BIG-IP PEM | None | 11.3.x | None |
| FirePass | None | 6.x 7.x |
None |
| Enterprise Manager | 1.x 2.0.x 2.1.0 - 2.1.0-HF1 2.2.0 (no HF) 2.3.0 - 2.3.0-HF2 |
2.1.0-HF2 and later 2.2.0-HF1 and later 2.3.0-HF3 and later 3.x |
SSH via TCP/22 on any interface |
| ARX | None |
5.x 6.x |
None |
Recommended action
A number of options exist to address this vulnerability. Perform one or more of the following procedures, as appropriate, for your situation:
- Upgrading to a non-vulnerable version
- Reconfiguring SSH access
- Mitigating the risk of exploitation
- Recovering a compromised system
Upgrading to a non-vulnerable version
To eliminate this vulnerability, upgrade to a release that is not affected. If an unaffected release is not available, apply the hotfix that is available for your version.
Reconfiguring SSH access
If you are unable to upgrade or apply a hotfix immediately, you can safely reconfigure the system by performing the following procedure:
Impact of recommended action: None. The SSH reconfiguration tool does not affect traffic flowing through the BIG-IP system. The change made by the Configuration utility takes effect immediately, and there is no need to restart any service, including SSH.
Important: Because the configuration error that creates this vulnerability would be reintroduced by reinstalling an affected software version, F5 regards this procedure as a temporary workaround and recommends that you upgrade to a release that contains the supported fix as soon as possible.
- From an Internet connected workstation, browse to https:/downloads.f5.com/.
- Click Find a Download.
- From the BIG-IP Product Family list, select the BIG-IP product line.
- From the resulting list, select the product container named ID379600.
- If it appears, accept the End User Software License agreement.
- Download the id379600-fix.gz binary, the id379600-fix.gz.md5 checksum file, and optionally, the id379600-fix.README file.
- Upload the files to a working directory, such as /var/tmp, on the affected BIG-IP/VIPRION system. For more information about uploading files to a BIG-IP system, refer to SOL175: Transferring files to or from an F5 system.
- Log in to the BIG-IP/VIPRION command line as root (or any other user with Advanced Shell access and Role set to Administrator).
- Change to the directory where you uploaded the files.
- Verify the checksum of the downloaded file by typing the following command:
md5sum --check id379600-fix.gz.md5
The command should display the following output:
id379600-fix.gz: OK
Important: If the checksum verification fails, the id379600-fix.gz file was corrupted during transfer and must be downloaded again.
- Unzip the id379600-fix.gz file by typing the following command:
gunzip id379600-fix.gz
- Set permissions on the unzipped binary file by typing the following command:
chmod +x id379600-fix
- Run the utility by typing the following command:
./id379600-fix
- Once the system has been successfully reconfigured, the script displays the following output:
[!] ID379600 Livepatch
[+] ID379600 mitigated
Important: If the script produces any other output, open a case with F5 Technical Support, including any output that was displayed.
Important: The script patches only the current running slot. If there are other slots on the BIG-IP system that are installed with vulnerable versions, that slot will continue to be vulnerable until patched. Each slot must be patched individually.
Important: In the case of high availability systems, each member of a pair, cluster, or group must be patched individually by following the process above. The reconfigured system files will not be synced to a peer device.
You can further verify that your system has been successfully reconfigured by uploading a qkview file to BIG-IP iHealth. If the system has been successfully reconfigured, BIG-IP iHealth will list Heuristic H386652 on the Diagnostics > Identified > Low screen. If the system has not been successfully reconfigured, BIG-IP iHealth will list Heuristic H386652 on the Diagnostics > Identified > High screen.
Mitigating the risk of exploitation
In addition to upgrading or patching the system, you can mitigate the risk of this vulnerability by using any or all of the following approaches:
- Limit SSH administrative access to the management interface by ensuring that the port lockdown feature is configured to disallow port 22 for all self IP addresses. For more information, refer to SOL13250: Overview of port lockdown behavior (10.x - 11.x) or SOL7317: Overview of port lockdown behavior (9.x).
- Expose the management interface on only trusted networks.
- Implement appropriate external network filters, such as firewalling, to protect the management interface from unintended access.
- Restrict SSH access to affected systems by configuring specific allowed IP address ranges. To do so, follow the procedures in SOL5380: Specifying allowable IP ranges for SSH access.
Important: A strong password policy or external authentication does not help mitigate the risk from this issue.
Recovering a compromised system
If you believe your system has been compromised, F5 recommends that you perform a clean installation of the system and re-build the configuration from scratch. This will ensure that the system does not contain any compromised configuration and/or exploits.
Important: F5 recommends that you do not use any existing UCS archives to re-build the configuration unless you have verified that the UCS archive does not contain compromised configuration.
If a compromised system is part of a BIG-IP GTM sync group, you should assume all members of the sync group have been compromised. To prevent propagating a compromised configuration across the sync group as you recover the individual affected systems, break the sync group by performing a clean installation of each member, re-build the configuration from scratch on one of the reinstalled systems, and re-add the remaining reinstalled systems to the sync group.
Note: You can use the gtm_add utility to re-add a system to the sync group. For information about the gtm_add utility, refer to SOL13312: Overview of the BIG-IP GTM big3d_install, bigip_add, and gtm_add utilities (11.x) and SOL8195: Overview of the BIG-IP GTM big3d_install, bigip_add, and gtm_add utilities (9.x - 10.x).
To perform a clean installation of the system, refer to the following articles appropriate for your version:
Impact of recommended action: The system will be unavailable until the configuration is manually re-built.
- SOL13117: Performing a clean installation of BIG-IP 11.x or Enterprise Manager 3.x
- SOL10819: Performing a clean installation of BIG-IP version 10.x or Enterprise Manager 2.x
- SOL9447: Choosing an installation method for BIG-IP version 9.x
Supplemental Information
- CVE-2012-1493
- SOL13092: Overview: Securing access to the BIG-IP system
- SOL13127: Restoring the BIG-IP configuration to factory default settings (11.x)
- SOL10519: Restoring the BIG-IP configuration to factory default settings (10.x)
- SOL7550: Restoring the BIG-IP configuration to factory default settings (9.3.x - 9.4.x)
- SOL9970: Subscribing to email notifications regarding F5 products
- SOL9957: Creating a custom RSS feed to view new and updated documents
- SOL4602: Overview of the F5 security vulnerability response policy
- SOL4918: Overview of the F5 critical issue hotfix policy
- SOL167: Downloading software and firmware from F5
