Applies To:

Show Versions Show Versions

sol15220: iControl vulnerability CVE-2014-2928
Security AdvisorySecurity Advisory

Original Publication Date: 05/07/2014
Updated Date: 09/14/2015

Description

The iControl API in F5 BIG-IP LTM, APM, ASM, GTM, Link Controller, and PSM 11.0.0 through 11.5.1, BIG-IP AAM 11.4.0 through 11.5.1, BIG-IP AFM and PEM 11.3.0 through 11.5.1, BIG-IP Analytics 11.0.0 through 11.5.1, BIG-IP Edge Gateway, WebAccelerator, WOM 11.0.0 through 11.3.0, Enterprise Manager 3.0.0 through 3.1.1, and BIG-IQ Cloud, Device, and Security 4.0.0 through 4.3.0 allows remote administrators to execute arbitrary commands via shell metacharacters in the hostname element in a SOAP request. (CVE-2014-2928)

Impact

Users may be able to run arbitrary commands on a BIG-IP system using an authenticated iControl connection.

Status

F5 Product Development has assigned ID 448802 (BIG-IP and Enterprise Manager) and ID 484170 (BIG-IQ) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, BIG-IP iHealth may list Heuristic H484322 on the Diagnostics > Identified > High screen. 

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature
BIG-IP LTM 11.0.0 - 11.5.1
11.6.0
11.5.2
11.2.1 HF15
10.0.0 - 10.2.4
iControl
BIG-IP AAM 11.4.0 - 11.5.1
11.6.0
11.5.2
iControl
BIG-IP AFM 11.3.0 - 11.5.1
11.6.0
11.5.2
iControl
BIG-IP Analytics 11.0.0 - 11.5.1
11.6.0
11.5.2
11.2.1 HF15
iControl
BIG-IP APM 11.0.0 - 11.5.1
11.6.0
11.5.2
11.2.1 HF15
10.1.0 - 10.2.4
iControl
BIG-IP ASM 11.0.0 - 11.5.1
11.6.0
11.5.2
11.2.1 HF15
10.0.0 - 10.2.4
iControl
BIG-IP Edge Gateway
11.0.0 - 11.3.0
11.2.1 HF15
10.1.0 - 10.2.4
iControl
BIG-IP GTM 11.0.0 - 11.5.1
11.6.0
11.5.2
11.2.1 HF15
10.0.0 - 10.2.4
iControl
BIG-IP Link Controller 11.0.0 - 11.5.1
11.6.0
11.5.2
11.2.1 HF15
10.0.0 - 10.2.4
iControl
BIG-IP PEM 11.3.0 - 11.5.1
11.6.0
11.5.2
iControl
BIG-IP PSM 11.0.0 - 11.4.1
11.2.1 HF15
10.0.0 - 10.2.4
iControl
BIG-IP WebAccelerator 11.0.0 - 11.3.0
11.2.1 HF15
10.0.0 - 10.2.4
iControl
BIG-IP WOM 11.0.0 - 11.3.0
11.2.1 HF15
10.0.0 - 10.2.4
iControl
ARX None
6.0.0 - 6.4.0
None
Enterprise Manager 3.0.0 - 3.1.1
2.1.0 - 2.3.0
3.1.1 HF2
iControl
FirePass None
7.0.0
6.0.0 - 6.1.0
None
BIG-IQ Cloud 4.0.0 - 4.4.0
None
iControl
BIG-IQ Device 4.2.0 - 4.4.0
None
iControl
BIG-IQ Security 4.0.0 - 4.4.0
None
iControl

Recommended action

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.

To mitigate this vulnerability, you should permit access to F5 products only over a secure network, and limit login access to trusted users. For additional information, refer to the links in the following Supplemental Information section.

Acknowledgments

F5 would like to acknowledge Brandon Perry of ZeniMax Online for bringing this issue to our attention.

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)