Malware Devil

Loading...

Thursday, August 13, 2020

ESB-2020.2797 – [Appliance] F5 SSL Orchestrator: Reduced security – Existing account 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2797
           F5 SSL Orchestrator may fail to stop an attacker from
         exfiltrating data on a compromised client system (SNIcat)
                              13 August 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 SSL Orchestrator
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Reduced Security -- Existing Account
Resolution:        Mitigation

Original Bulletin: 
   https://support.f5.com/csp/article/K20105555

- --------------------------BEGIN INCLUDED TEXT--------------------

K20105555:F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)

Security Advisory

Original Publication Date: 13 Aug, 2020

Security Advisory Description

An attacker may be able to exfiltrate data from a target system sitting behind
F5 SSL Orchestrator by inserting data into the TLS SNI field. This approach
assumes that the attacker has already compromised, and is in full control of,
the target system to be able to create outbound connections to arbitrary
destinations with specifically crafted TLS handshake details. Note that the
data insertion into the TLS SNI field is performed on the compromised system
itself and is done outside of the F5 SSL Orchestrator's traffic management.

This issue occurs when all of the following conditions are met:

  o You deployed an Outbound topology configuration on the F5 SSL Orchestrator
  o The target system behind the F5 SSL Orchestrator is compromised by the
    attacker

Impact

The attacker can extract sensitive data from the target system that is sitting
behind the F5 SSL Orchestrator. Note that this issue is not a vulnerability or
defect in the F5 SSL Orchestrator, however you can use the F5 SSL Orchestrator
to mitigate this issue as described in the Workaround section.

Symptoms

As a result of this issue, you may encounter the following symptom:

  o The compromised target system connects to the attacker's system using
    specifically crafted TLS handshake details.

Security Advisory Status

F5 Product Development has assigned ID 892937 and 892941 to this issue. F5 has
confirmed that this issue exists in the products listed in the Applies to (see
versions) box, located in the upper-right corner of this article. For
information about releases, point releases, or hotfixes that resolve this
issue, refer to the following table.

+--------------------+-------------------+----------------+
|Type of fix         |Fixes introduced in|Related articles|
+--------------------+-------------------+----------------+
|Release             |None               |None            |
+--------------------+-------------------+----------------+
|Point release/hotfix|None               |None            |
+--------------------+-------------------+----------------+

Security Advisory Recommended Actions

Workaround

If the affected F5 SSL Orchestrator is licensed for Secure Web Gateway (SWG) or
URL Filtering, the first iRule (following) will compare the presented TLS SNI
information against known malicious patterns within the URL Filtering database.
If the affected F5 SSL Orchestrator does not have SWG or URL Filtering
licensed, you may consider alternative iRules, which will allow the F5 SSL
Orchestrator to send the TLS SNI information to either a configured
receive-only tap device (such as Intrusion Detection/Prevention System) by
inserting it as an HTTP header, or to a Security Information and Event
Management (SIEM) device/log aggregator using High Speed Logging (HSL) for
offline analysis. Select one of the following iRules that is most appropriate
for your application environment, and perform the Procedure to implement the
iRule:

  o iRule to compare TLS SNI information against known malicious patterns
    within the URL Filtering database
  o iRule to send TLS SNI information to a TAP device by inserting it as an
    HTTP header
  o iRule to send TLS SNI information to a SIEM device by way of HSL

iRule to compare TLS SNI information against known malicious patterns within
the URL Filtering database

To use this iRule, ensure that your F5 SSL Orchestrator is licensed and
provisioned with SWG or the URL Filtering feature.

when CLIENT_ACCEPTED {
    set cat ""
    set lookup_url ""
}
when CATEGORY_MATCHED {
    set cat [CATEGORY::result category]
}
when CLIENTSSL_CLIENTHELLO priority 50 {
    if { $cat eq "" } {
       set lookup_url [ACCESS::perflow get perflow.category_lookup.result.url]

        if { ${lookup_url} eq "" } {
            # extract SNI from TLS ClientHello
            if {[SSL::extensions exists -type 0]} {
                binary scan [SSL::extensions -type 0] @9a* SNI
                if {[regexp {(i)[^a-z0-9.-]} $SNI]} {
                    log local0. "client offered bogus SNI"
                    reject
                } else {
                    set ctx(SNI) [string tolower $SNI]
                    set lookup_url "https://$ctx(SNI)/"
                }
            }
        }

        if { ${lookup_url} ne "" } {
            set cat [CATEGORY::lookup ${lookup_url} request_default_and_custom]
        }
    }

    if { $cat ne "" } {
        switch $cat {
            /Common/Advanced_Malware_Command_and_Control -
            /Common/Advanced_Malware_Payloads {
                reject
            }
            default {
            }
        }
    }
} ; #CLIENTSSL_CLIENTHELLO

 

iRule to send TLS SNI information to a TAP device by inserting it as an HTTP
header

This iRule inserts the TLS SNI information as the X-F5-TLS-SNI HTTP header; you
should configure your receive-only TAP device (such as IDS/IPS) to capture this
header.

when RULE_INIT {
    set static::debug 0
}
when CLIENTSSL_CLIENTHELLO priority 25 {
    if {[SSL::extensions exists -type 0]} {
        binary scan [SSL::extensions -type 0] @9a* SNI
        if {$static::debug eq 1} {log local0. "[IP::client_addr]:
[TCP::client_port]->[IP::local_addr]:[TCP::local_port]; SNI:$SNI"}
    }
}
when HTTP_REQUEST {
    if {$SNI ne ""} {
        HTTP::header insert "X-F5-TLS-SNI" $SNI
    }
}

 

iRule to send TLS SNI information to a SIEM device by way of HSL

To use this iRule, ensure that you have configured the syslog_pool with the
appropriate SIEM device or log aggregator.

when RULE_INIT {
    set static::debug 0
}

when CLIENTSSL_CLIENTHELLO priority 25 {

    if {[SSL::extensions exists -type 0]} {
        set hslpool syslog_pool
        set hsl [HSL::open -proto UDP -pool $hslpool]

        binary scan [SSL::extensions -type 0] @9a* SNI

        if {$static::debug eq 1} {log local0. "[IP::client_addr]:
[TCP::client_port]->[IP::local_addr]:[TCP::local_port]; SNI:$SNI"}

        # Modify the formatting between quotes to suit whatever SIEM/log
aggregation system you are sending to
        # Note syslog expects an RFC3164 compliant facility & severity
indicator, e.g. local7.info = 
        HSL::send $hsl " [IP::client_addr]:[TCP::client_port]->
[IP::local_addr]:[TCP::local_port]; SNI:$SNI"
    }

}

Procedure to implement the iRule

When you have selected the iRule most appropriate for your application
environment, perform the following procedure:

Impact of workaround: The workaround requires that the affected F5 SSL
Orchestrator deployment configuration be unprotected (disable the Strict Update
option); this allows you to manually change your deployment configuration but
does not prevent any potential misconfiguration that can result in an unusable
application. If you re-protect (enable the Strict Update option) the affected
deployment configuration after performing this workaround, then the change you
made to the virtual server in this workaround will be removed.

 1. Log in to the F5 SSL Orchestrator Configuration utility.
 2. Go to SSL Orchestrator > Configuration.
 3. Under the Topologies section, to unprotect the configuration, select the
    lock icon for the affected deployment configuration.
 4. Select OK to confirm that you want to proceed to unprotect the
    configuration.
 5. Go to Local Traffic > iRules > iRule List.
 6. Select Create.
 7. For Name, enter a name for the iRule.

    For example:

    K20105555-workaround

 8. Copy the iRule you have selected and paste it in the Definition setting.
 9. To save the changes, select Finished.
10. Go to Local Traffic > Virtual Servers > Virtual Server List.
11. Select the name of the virtual server used in the affected F5 SSL
    Orchestrator deployment configuration.
12. Select Resources and then select Manage in the iRules section.
13. In the Available box, locate the iRule you have created in steps 6 through
    9, and select

Read More



https://www.malwaredevil.com/2020/08/13/esb-2020-2797-appliance-f5-ssl-orchestrator-reduced-security-existing-account/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2797-appliance-f5-ssl-orchestrator-reduced-security-existing-account
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...