Applies To:

Show Versions Show Versions

sol15236: ConfigSync IP Rsync full file system access vulnerability CVE-2014-2927
Security AdvisorySecurity Advisory

Original Publication Date: 08/28/2014
Updated Date: 06/04/2015

The vulnerability described in this article has been resolved, or does not affect any F5 products. There will be no further updates, unless new information is discovered.

Description

An open Rsync configuration for the ConfigSync IP address allows for remote read/write file system access in BIG-IP 11.x versions before 11.6.0, 11.5.1 HF3, 11.5.0 HF4, 11.4.1 HF4, 11.4.0 HF7, 11.3.0 HF9, and 11.2.1 HF11, and Enterprise Manager 3.x versions before 3.1.1 HF2. (CVE-2014-2927)

Impact

A remote unauthenticated user with access to the ConfigSync IP address may be allowed full read/write access to the file system. Exploitation of this vulnerability could lead to unauthenticated root access.

Status

F5 Product Development has assigned ID 458676 (BIG-IP) and ID 458827 (Enterprise Manager) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H460257 on the Diagnostics > Identified > High screen.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature
BIG-IP LTM 11.0.0 - 11.5.1
11.6.0
11.5.1 HF3
11.5.0 HF4
11.4.1 HF4
11.4.0 HF7
11.3.0 HF9
11.2.1 HF11
10.0.0 - 10.2.4
Rsync over the ConfigSync self IP address
BIG-IP AAM 11.4.0 - 11.5.1 11.6.0
11.5.1 HF3
11.5.0 HF4
11.4.1 HF4
11.4.0 HF7
Rsync over the ConfigSync self IP address
BIG-IP AFM 11.3.0 - 11.5.1 11.6.0
11.5.1 HF3
11.5.0 HF4
11.4.1 HF4
11.4.0 HF7
11.3.0 HF9
Rsync over the ConfigSync self IP address
BIG-IP Analytics 11.0.0 - 11.5.1 11.6.0
11.5.1 HF3
11.5.0 HF4
11.4.1 HF4
11.4.0 HF7
11.3.0 HF9
11.2.1 HF11
Rsync over the ConfigSync self IP address
BIG-IP APM 11.0.0 - 11.5.1 11.6.0
11.5.1 HF3
11.5.0 HF4
11.4.1 HF4
11.4.0 HF7
11.3.0 HF9
11.2.1 HF11
10.0.0 - 10.2.4
Rsync over the ConfigSync self IP address
BIG-IP ASM 11.0.0 - 11.5.1 11.6.0
11.5.1 HF3
11.5.0 HF4
11.4.1 HF4
11.4.0 HF7
11.3.0 HF9
11.2.1 HF11
10.0.0 - 10.2.4
Rsync over the ConfigSync self IP address
BIG-IP Edge Gateway
11.0.0 - 11.3.0 11.3.0 HF9
11.2.1 HF11
10.1.0 - 10.2.4
Rsync over the ConfigSync self IP address
BIG-IP GTM 11.0.0 - 11.5.1 11.6.0
11.5.1 HF3
11.5.0 HF4
11.4.1 HF4
11.4.0 HF7
11.3.0 HF9
11.2.1 HF11
10.0.0 - 10.2.4
Rsync over the ConfigSync self IP address
BIG-IP Link Controller 11.0.0 - 11.5.1
11.6.0
11.5.1 HF3
11.5.0 HF4
11.4.1 HF4
11.4.0 HF7
11.3.0 HF9
11.2.1 HF11
10.0.0 - 10.2.4
Rsync over the ConfigSync self IP address
BIG-IP PEM 11.3.0 - 11.5.1
11.6.0
11.5.1 HF3
11.5.0 HF4
11.4.1 HF4
11.4.0 HF7
11.3.0 HF9
Rsync over the ConfigSync self IP address
BIG-IP PSM 11.0.0 - 11.4.1
11.4.1 HF4
11.4.0 HF7
11.3.0 HF9
11.2.1 HF11
10.0.0 - 10.2.4
Rsync over the ConfigSync self IP address
BIG-IP WebAccelerator 11.0.0 - 11.3.0
11.3.0 HF9
11.2.1 HF11
10.0.0 - 10.2.4
Rsync over the ConfigSync self IP address
BIG-IP WOM 11.0.0 - 11.3.0
11.3.0 HF9
11.2.1 HF11
10.0.0 - 10.2.4
Rsync over the ConfigSync self IP address
ARX None 6.0.0 - 6.4.0
None
Enterprise Manager 3.0.0 - 3.1.1
3.1.1 HF2
2.1.0 - 2.3.0
Rsync over the ConfigSync self IP address
FirePass None 7.0.0
6.0.0 - 6.1.0
None
BIG-IQ Cloud None
4.0.0 - 4.3.0
None
BIG-IQ Device None
4.2.0 - 4.3.0
None
BIG-IQ Security None
4.0.0 - 4.3.0
None

Recommended Action

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists.

To mitigate this vulnerability, you should ensure the IP address used for ConfigSync is on a trusted network. Additionally, you should ensure TCP port 873 (tcp:873 or tcp:rsync) is disabled on self IP addresses. To do so, perform both of the following procedures:

Ensuring TCP port 873 is not allowed as a default service (allow-service default)

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Traffic Management Shell (tmsh) by typing the following command:

    tmsh
  2. List the default services allowed by the allow-service default setting by typing the following command:

    list net self-allow

    Output appears similar to the following example:

    net self-allow {
        defaults {
            ospf:any
            tcp:domain
            tcp:f5-iquery
            tcp:https
            tcp:snmp
            tcp:ssh
            udp:520
            udp:cap
            udp:domain
            udp:f5-iquery
            udp:snmp
        }
    }

  3. If TCP port 873 (tcp:873 or tcp:rsync) is listed as a default allowed port, you should delete the entry by typing the following command:

    modify net self-allow defaults delete { tcp:rsync }
  4. Save the configuration by typing the following command:

    save sys config

Ensuring your ConfigSync self IP is not configured with a Port Lockdown setting of Allow All (allow-service all) and does not specifically have TCP port 873 (tcp:rsync) enabled

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the BIG-IP or Enterprise Manager Configuration utility.
  2. Navigate to Device Management > Devices.
  3. Select the device indicated as (Self).
  4. Navigate to Device Connectivity > ConfigSync.
  5. Note the IP address listed in Local Address.
  6. Navigate to Network > Self IPs.
  7. Click the self IP address that matches the Local Address from step 5.
  8. Ensure the Port Lockdown setting is not set to Allow All, or Allow Custom with TCP port 873 (Rsync) added to the Custom List of allowed ports.

    For example, either delete TCP port 873 from the Custom List of allowed ports, or select Allow Default from the Port Lockdown menu.
  9. Click Update to save the configuration.

Acknowledgments

F5 would like to acknowledge Thomas Hibbert of Security Assessment for bringing this issue to our attention, and for following the highest standards of responsible disclosure.

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)