Español | English
rss facebook linkedin Twitter

F5 FirePass command execution vulnerability

F5's FirePass SSL VPN appliance provides secure access to corporate applications and data using a standard web browser.

Delivering outstanding performance, scalability, ease-of-use, and end-point security, FirePass helps increase the productivity of those working from home or on the road while keeping corporate data secure.

S21sec has discovered a vulnerability in a F5 FirePass SSL VPN script that allows the injection of Linux's shell commands under some circunstances.

The attacker doesn`t need to be logged in the system in order to trigger the exploit.

Workaround
F5 has published a security advisory at
https://tech.f5.com/home/solutions/sol167.html

Additionally, hotfix HF-75705-76003-1 has been issued for supported versions of FirePass.

You may download this hotfix or later versions of the hotfix from the F5 Networks Downloads site (https://downloads.f5.com/esd/index.jsp).

Acknowledgments
This vulnerability has been discovered and researched by:
  • Leonardo Nve S21Sec
With thanks to:
  • Alberto Moro S21Sec

You can access the latest version of this advisory at
http://www.s21sec.com/avisos/s21sec-035-en.txt

1 comentario:

Anónimo dijo...

The F5 report on this issue is actually here --->
http://support.f5.com/kb/en-us/solutions/public/7000/100/sol7164

Thanks
Matt


(+34 902 222 521)


24 horas / 7 días a la semana



© Copyright S21sec 2013 - Todos los derechos reservados


login