Forum Discussion
Nimbostratusapd logs User Plain Text Password when in Debug Mode!
Hello,
we have a big Problem with our F5.
We found out, that the F5 logs the Plain Text Password of all users that use our Client initiated SSO's. THIS should not be the case! How could this "Feature" get through QA on F5's behalf? The F5 always censors passwords for good and i don't get why in this particular Case this doesn't apply.
But enough of me rambling about this, i am as good as fired for this anyway... I want to ask how we can avoid this in the future. Disabling the debug mode alone is not sufficient because I cannot guarantee that one of my fellow admin can enable the debug mode and steal passwords from all Users.
You have to meet the following requirements that this problem ocurs: * Have a Client initiated SSO like the Exchange IAPP * Debug Log Level for "Access Policy"
When you meet those requirements, you can go into /var/log/apm and simply search for "password:"
You will find the messages like this:
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 663 Msg: //=========================================
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 664 Msg: Request received
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 665 Msg: //-----------------------------------------
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 63 Msg: bytes_received: 339, len: 339
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 87 Msg: first header received: POST /my.policy HTTP/1.1
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 310 Msg: HTTP Method received: POST
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 339 Msg: HTTP URI received: /my.policy
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 384 Msg: HTTP major version received: 1
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 385 Msg: HTTP minor version received: 1
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: Content-Length: 55
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, content-length: 55
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: client-session-id: 18d2879417a0fb3009afddf358621dea
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, client-session-id: 18d2879417a0fb3009afddf358621 Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: session-key: 8871001d1fb63f014eecb81158621dea
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, session-key: 8871001d1fb63f014eecb81158621dea
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: profile-id: /MyComp/PTAexchange1.4.app/exch_access
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, profile-id: /MyComp/PTAexchange1.4.app/exch_access
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: session-id: 58621dea
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, session-id: 58621dea
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: snapshot-id: 18a28c096a6_5ooooooooooooooooooo
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, snapshot-id: 18a28c096a6_5ooooooooooooooooooo
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: cmp-pu: 1
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, cmp-pu: 1
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 82 Msg: Complete header received: 284
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parsePostParam()" line: 474 Msg: Param received, username: Admin
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parsePostParam()" line: 474 Msg: Param received, password: Admin_Password!
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parsePostParam()" line: 474 Msg: Param received, vhost: standard
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 681 Msg: Received Session Id: "58621dea"
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 683 Msg: Received Profile Id: "/MyComp/PTAexchange1.4.app/exch_access"
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 685 Msg: request-from: ""
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 687 Msg: clientless-mode: ""
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 689 Msg: no-inspection-host-mode: ""
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 691 Msg: Received CMP Process Unit: "1, mc = 0x5ca10f44"
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 693 Msg: start processing of the access policy
Oct 13 08:37:04 F5 debug apd[12167]: 01490011:7: 58621dea: Logon agent: ENTER Function executeInstance
Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: modules/LogonPage/SimpleLogonPage/SimpleLogonPageAgent.cpp func: "SimpleLogonPageAgentexecuteInstance()" line: 1134 Msg: SCIM session state variables: Request Type : Request Domain : GroupName : UserName : ClearCache:0
Oct 13 08:37:04 F5 notice apd[12167]: 01490010:5: 58621dea: Username 'Admin'
As you can see the HTTPParser.cpp func: "parsePostParam()" line: 474 is the culprit!
So how can we avoid this in the future? A strict trust agreement will not work i am afraid. Any Input in this matter is highly appreciated!
Best Wishes!
2 Replies
Seth_CooperEmployee
Hi,
This issue has been identified and should be fixed in the latest release. (V12.0.0). This is tracked as ID 493106. What version are you running?
If upgrading is not an option then you could open a case and see if the can build you and Engineering HotFix for this issue on your version.
Seth
fabiblack_18546That is a shame... last time we updated our whole SSO went down. (that was the main reason why i even looked at /var/log/apm)
However i don't see that they fixed it in https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-12-0-0.html
Do you have a Sol article for me?
