AskF5 | Security Advisory: SOL2232 - checktrap.pl script may be vulnerable to remote command execution

AskF5 Knowledge Base

Applies To:

Show Versions

BIG-IP LTM

10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.6.1, 9.6.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5, 9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4.0, 9.3.1, 9.3.0, 9.2.5, 9.2.4, 9.2.3, 9.2.2, 9.2.0, 9.1.3, 9.1.2, 9.1.1, 9.1.0, 9.0.5, 9.0.4, 9.0.3, 9.0.2, 9.0.1, 9.0.0

BIG-IP ASM

10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5, 9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4.0, 9.3.1, 9.3.0, 9.2.5, 9.2.4, 9.2.3, 9.2.2, 9.2.0

BIG-IP GTM

10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5, 9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4.0, 9.3.1, 9.3.0, 9.2.5, 9.2.4, 9.2.3, 9.2.2

BIG-IP PSM

10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5

BIG-IP Link Controller

10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5, 9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4.0, 9.3.1, 9.3.0, 9.2.5, 9.2.4, 9.2.3, 9.2.2

BIG-IP WebAccelerator

10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5, 9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4.0

BIG-IP APM

10.2.0, 10.1.0

BIG-IP SAM

8.0.0

BIG-IP WOM

10.2.0, 10.1.0, 10.0.1, 10.0.0

BIG-IP Edge Gateway

10.2.0, 10.1.0

FirePass

7.0.0, 6.1.0, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.5.2, 5.5.1, 5.5.0, 5.4.2, 5.4.1, 5.4.0, 5.2.2, 5.2.1, 5.2.0, 5.0.0, 5.0 FP1-3, 4.1.1, 4.1.0, 4.0.2, 4.0.1, 4.0.0, 3.1.0

ARX

5.1.7, 5.1.5, 5.1.0, 5.0.6, 5.0.5, 5.0.1, 5.0.0, 4.1.3, 4.1.1, 4.1.0, 4.0.1, 3.2.3, 3.2.2, 3.2.1, 2.7.1, 2.7.0

Enterprise Manager

2.1.0, 2.0.0, 1.8.0, 1.7.0, 1.6.0, 1.4.1, 1.4.0, 1.2.2, 1.2.1, 1.2.0, 1.0.0

BIG-IP versions 1.x - 4.x

4.6.4, 4.6.3, 4.6.2, 4.6.1, 4.6.0, 4.5.9, 4.5.14, 4.5.13, 4.5.12, 4.5.11, 4.5.10, 4.5.0, 4.5 PTF-08, 4.5 PTF-07, 4.5 PTF-06, 4.5 PTF-05, 4.5 PTF-04, 4.5 PTF-03, 4.5 PTF-02, 4.5 PTF-01

3-DNS Controller versions 1.x - 4.x

4.6.4, 4.6.3, 4.6.2, 4.6.1, 4.6.0, 4.5.9, 4.5.14, 4.5.13, 4.5.12, 4.5.11, 4.5.10, 4.5.0, 4.5 PTF-08, 4.5 PTF-07, 4.5 PTF-06, 4.5 PTF-05, 4.5 PTF-04, 4.5 PTF-03, 4.5 PTF-02, 4.5 PTF-01

sol2232: checktrap.pl script may be vulnerable to remote command execution

Security Advisory

Original Publication Date: 05/16/2007
Updated Date: 09/13/2010

Note: Versions that are not listed in this Solution have not been evaluated for vulnerability to this security advisory. For information about F5 Networks' security policy regarding evaluating older and unsupported versions of F5 Networks products, see SOL4602: Overview of F5 Networks security vulnerability response policy.

F5 Networks products and versions that have been evaluated for this Security Advisory

Product	Affected	Not Affected
BIG-IP / 3-DNS	4.6.0 - 4.6.2 4.5.0 - 4.5.11	4.6.3 - 4.6.4 4.5.12 - 4.5.14
BIG-IP LTM	None	9.x 10.x
BIG-IP GTM	None	9.x 10.x
BIG-IP ASM	None	9.x 10.x
BIG-IP Link Controller	None	9.x 10.x
BIG-IP WebAccelerator	None	9.x 10.x
BIG-IP PSM	None	9.x 10.x
BIG-IP WAN Optimization	None	10.x
BIG-IP APM	None	10.x
BIG-IP Edge Gateway	None	10.x
BIG-IP SAM	None	8.0.0
FirePass	None	3.x 4.x 5.x 6.x 7.x
Enterprise Manager	None	1.x 2.x
ARX	None	2.x 3.x 4.x 5.x

The checktrap.pl script may be vulnerable to remote command execution.

F5 Networks Product Development tracked this issue as CR35371 and CR35372, and it was fixed in BIG-IP and 3-DNS version 4.5.12 for the 4.5 software branches and in version 4.6.3 for the 4.6 software branches.

Obtaining and installing patches

BIG-IP and 3-DNS versions 4.6.0 through 4.6.2

Important: The system will reboot as soon as it installs the patch. Install this patch only on a system that is in standby mode.

To download and install the patch, perform the following procedure:

Open the F5 Networks Downloads page in a browser.
Navigate to the BIG-IP >> BIG-IP v4.x >> BIG-IP 4.6.x section.
Click checktrap and download the checktrap-4.6x-BIG_IP.im file.
For information about how to download software, refer to SOL167: Downloading software from F5 Networks.
Verify the MD5 checksum of the patch, by typing the following command:
md5 checktrap-4.6x-BIG_IP.im

Output similar to the following example should appear:

0b4d7c354355c47d0fe06189ca737290 checktrap-4.6x-BIG_IP.im
Install the patch by typing the following command:

im checktrap-4.6x-BIG_IP.im

BIG-IP and 3-DNS versions 4.5.0 through 4.5.10

Important: The system will reboot as soon as it installs the patch. Install this patch only on a system that is in standby mode.

To download and install the patch, perform the following procedure:

Open the F5 Networks Downloads page in a browser.
Navigate to the BIG-IP >> BIG-IP v4.x >> BIG-IP 4.5.x section.
Click checktrap and download the checktrap-4.5x-BIG_IP.im file.
For information about how to download software, refer to SOL167: Downloading software from F5 Networks.
Verify the MD5 checksum of the patch, by typing the following command:
md5 checktrap-4.5x-BIG_IP.im

Output similar to the following example should appear:

0b4d7c354355c47d0fe06189ca737290 checktrap-4.5x-BIG_IP.im
Install the patch by typing the following command:

im checktrap-4.5x-BIG_IP.im

Workaround

To protect controllers that are configured with SNMP traps, upgrade to the most recent version of BIG-IP or 3-DNS.

If upgrading or applying a patch is not an immediate option, you can work around this issue by performing the following two procedures.

Note: This workaround will supply you with the same protection as applying the patch.

Disabling syslog messages

To disable syslog messages to the /var/run/trapper file, perform the following procedure:

Using a text editor, edit the /etc/syslog.conf file.
Look toward the bottom of the file for lines that appear similar to the following example:
local0.* /var/run/trapper local1.* /var/run/trapper
If they exist, comment them out so that they appear similar to the following example:
# local0.* /var/run/trapper # local1.* /var/run/trapper
Save the file.
Restart syslogd by typing the following command:
kill -HUP `pidof syslogd`

Enabling port lockdown

Enabling port lockdown on any exposed VLAN will prevent a remote attacker from sending arbitrary text to the syslog facility. To enable port lockdown, perform the following procedure:

View the current port lockdown status for a specific VLAN by typing the following command:
bigpipe vlan <vlan name> show |grep lockdown

For example:

bigpipe vlan internal show |grep lockdown

The output will show lockdown disabled or lockdown enabled and will appear similar to the following example:

port_lockdown Disabled
If disabled, enable port lockdown on the VLAN by typing the following command:
bigpipe vlan port_lockdown enable

For example:

bigpipe vlan internal port_lockdown enable
Save the new setting by typing the following command:

bigpipe base save

Was this resource helpful in solving your issue?

Yes - this resource was helpful
No - this resource was not helpful
I don‘t know yet

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)

Reload Audio Image Help