QID 376053
Date Published: 2021-11-18
QID 376053: F5 BIG-IP Local Traffic Manager (LTM), Access Policy Manager (APM), Application Security Manager (ASM) cURL Vulnerability (K63525058)
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.CVE-2020-8284
Vulnerable Component: BIG-IP APM,ASM,LTM
Affected Versions:
16.0.0 - 16.0.1
15.1.0 - 15.1.2
14.1.0 - 14.1.3
QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.
If curl is used from the F5 product and it connects to a malicious FTP server, an attacker can manipulate curl to access restricted information.
Solution
The vendor has released patch, for more information please visit: K63525058Workaround:
Restrict the Management Interface access to only trusted users. For more information regarding the BIG-IP system, refer to the following article: K13092: Overview of securing access to the BIG-IP system. Connect to only trusted FTP servers. Use the following curl command line option: --ftp-skip-pasv-ip This option causes curl to ignore the IP address that the server suggests for the data connection. Instead, curl uses the same IP address it is using for the control connection. For example: curl --ftp-skip-pasv-ip -k -u user ftp://10.1.1.100/get_file -o /shared/tmp/get_file Note: This could cause problems in situations where you expect the server to need the client to connect back to an IP address other than the control connection IP address. If feasible, use the --ftp-skip-pasv-ip mitigation with the EAV monitors or iRules that use curl to access the FTP servers, or just remove the EAV monitors or iRules.
Restrict the Management Interface access to only trusted users. For more information regarding the BIG-IP system, refer to the following article: K13092: Overview of securing access to the BIG-IP system. Connect to only trusted FTP servers. Use the following curl command line option: --ftp-skip-pasv-ip This option causes curl to ignore the IP address that the server suggests for the data connection. Instead, curl uses the same IP address it is using for the control connection. For example: curl --ftp-skip-pasv-ip -k -u user ftp://10.1.1.100/get_file -o /shared/tmp/get_file Note: This could cause problems in situations where you expect the server to need the client to connect back to an IP address other than the control connection IP address. If feasible, use the --ftp-skip-pasv-ip mitigation with the EAV monitors or iRules that use curl to access the FTP servers, or just remove the EAV monitors or iRules.
Vendor References
- K63525058 -
support.f5.com/csp/article/K63525058
CVEs related to QID 376053
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| K63525058 |
support.f5.com/csp/article/K63525058 |