F5 Firepass Multiple Input Validation Vulnerabilities
BID:21957
Info
F5 Firepass Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 21957 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 09 2007 12:00AM |
| Updated: | Jan 25 2007 04:28PM |
| Credit: | Michael Ligh from mnin.org and Greg Sinclair from NNL-Labs are credited with the discovery of these vulnerabilities. |
| Vulnerable: |
Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 F5 FirePass |
| Not Vulnerable: | |
Discussion
F5 Firepass Multiple Input Validation Vulnerabilities
F5 Firepass is prone to multiple input-validation vulnerabilities because the device fails to sufficiently sanitize user-supplied input. These issues include information-disclosure, security bypass, and cross-site scripting vulnerabilities.
An attacker can exploit these issues to bypass security restrictions, to view sensitive information, and to steal cookie-based authentication credentials. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
F5 Firepass is prone to multiple input-validation vulnerabilities because the device fails to sufficiently sanitize user-supplied input. These issues include information-disclosure, security bypass, and cross-site scripting vulnerabilities.
An attacker can exploit these issues to bypass security restrictions, to view sensitive information, and to steal cookie-based authentication credentials. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
Exploit / POC
F5 Firepass Multiple Input Validation Vulnerabilities
Attackers can exploit the information-disclosure and security-bypass vulnerabilities via a web client. Attackers can exploit the cross-site scripting issue by enticing an unsuspecting victim to follow a malicious URI.
Attackers can exploit the information-disclosure and security-bypass vulnerabilities via a web client. Attackers can exploit the cross-site scripting issue by enticing an unsuspecting victim to follow a malicious URI.
Solution / Fix
F5 Firepass Multiple Input Validation Vulnerabilities
Solution:
The vendor has released a fix to address this issue. Please contact the vendor for information on how to obtain and apply the fix.
Ubuntu Ubuntu Linux 6.06 LTS amd64
Ubuntu Ubuntu Linux 6.10 sparc
Ubuntu Ubuntu Linux 6.10 amd64
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.10 powerpc
Ubuntu Ubuntu Linux 6.10 i386
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS sparc
Solution:
The vendor has released a fix to address this issue. Please contact the vendor for information on how to obtain and apply the fix.
Ubuntu Ubuntu Linux 6.06 LTS amd64
-
Ubuntu gdm_2.14.10-0ubuntu1.1_amd64.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_amd64.deb -
Ubuntu gdm_2.14.10-0ubuntu1.1_i386.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_i386.deb -
Ubuntu gdm_2.14.10-0ubuntu1.1_powerpc.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_powerpc.deb -
Ubuntu gdm_2.14.10-0ubuntu1.1_sparc.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_sparc.deb
Ubuntu Ubuntu Linux 6.10 sparc
-
Ubuntu gdm_2.16.1-0ubuntu4.1_amd64.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_amd64.deb -
Ubuntu gdm_2.16.1-0ubuntu4.1_i386.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_i386.deb -
Ubuntu gdm_2.16.1-0ubuntu4.1_powerpc.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_powerpc.deb -
Ubuntu gdm_2.16.1-0ubuntu4.1_sparc.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_sparc.deb
Ubuntu Ubuntu Linux 6.10 amd64
-
Ubuntu gdm_2.16.1-0ubuntu4.1_amd64.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_amd64.deb -
Ubuntu gdm_2.16.1-0ubuntu4.1_i386.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_i386.deb -
Ubuntu gdm_2.16.1-0ubuntu4.1_powerpc.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_powerpc.deb -
Ubuntu gdm_2.16.1-0ubuntu4.1_sparc.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_sparc.deb
Ubuntu Ubuntu Linux 6.06 LTS powerpc
-
Ubuntu gdm_2.14.10-0ubuntu1.1_amd64.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_amd64.deb -
Ubuntu gdm_2.14.10-0ubuntu1.1_i386.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_i386.deb -
Ubuntu gdm_2.14.10-0ubuntu1.1_powerpc.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_powerpc.deb -
Ubuntu gdm_2.14.10-0ubuntu1.1_sparc.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_sparc.deb
Ubuntu Ubuntu Linux 6.10 powerpc
-
Ubuntu gdm_2.16.1-0ubuntu4.1_amd64.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_amd64.deb -
Ubuntu gdm_2.16.1-0ubuntu4.1_i386.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_i386.deb -
Ubuntu gdm_2.16.1-0ubuntu4.1_powerpc.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_powerpc.deb -
Ubuntu gdm_2.16.1-0ubuntu4.1_sparc.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_sparc.deb
Ubuntu Ubuntu Linux 6.10 i386
-
Ubuntu gdm_2.16.1-0ubuntu4.1_amd64.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_amd64.deb -
Ubuntu gdm_2.16.1-0ubuntu4.1_i386.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_i386.deb -
Ubuntu gdm_2.16.1-0ubuntu4.1_powerpc.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_powerpc.deb -
Ubuntu gdm_2.16.1-0ubuntu4.1_sparc.deb
Ubuntu 6.10:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4. 1_sparc.deb
Ubuntu Ubuntu Linux 6.06 LTS i386
-
Ubuntu gdm_2.14.10-0ubuntu1.1_amd64.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_amd64.deb -
Ubuntu gdm_2.14.10-0ubuntu1.1_i386.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_i386.deb -
Ubuntu gdm_2.14.10-0ubuntu1.1_powerpc.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_powerpc.deb -
Ubuntu gdm_2.14.10-0ubuntu1.1_sparc.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_sparc.deb
Ubuntu Ubuntu Linux 6.06 LTS sparc
-
Ubuntu gdm_2.14.10-0ubuntu1.1_amd64.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_amd64.deb -
Ubuntu gdm_2.14.10-0ubuntu1.1_i386.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_i386.deb -
Ubuntu gdm_2.14.10-0ubuntu1.1_powerpc.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_powerpc.deb -
Ubuntu gdm_2.14.10-0ubuntu1.1_sparc.deb
Ubuntu 6.06 LTS:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1 .1_sparc.deb
References
F5 Firepass Multiple Input Validation Vulnerabilities
References:
References:
- f5 Solutions Webpage (f5)
- NNL-Labs & MNIN | F5 FirePass Security Advisory (Michael Ligh from (http://mnin.org) and Greg Sinclair ([email protected]))
- Vendor Homepage (F5)