Forum Discussion
Query regarding Port LockDown and HTTPD Process Update // K52145254
Regarding Temporary Mitigation with Self IP ( https://support.f5.com/csp/article/K52145254 )
We have seen “Allow Default” for one of the Self IP which carries Production Traffic. If I change it to “Allow None” Service wise what will be the Impact ?
Regarding Temporary Mitigation of All Network Interfaces Section. ( https://support.f5.com/csp/article/K52145254 )
Below is a 6 step process specifically talking about modifying HTTPD Process provided at above Doc . SERVICE wise what impact will be if i do below 7 step change. ? I have mostly WEB Services hosted at F5 which mostly use HTTP profile in VIP Configuration. My question will also be if making this 7 step process will impact F5 Traffic ?
All network interfaces
To eliminate the ability for unauthenticated attackers to exploit this vulnerability, add a LocationMatch configuration element to httpd. To do so perform the following procedure:
Note: Authenticated users will still be able to exploit the vulnerability, independent of their privilege level.
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
- Log in to the TMOS Shell (tmsh) by entering the following command:
tmsh
2.Edit the httpd properties by entering the following command:
edit /sys httpd all-properties
Note: This will put you into the vi editor
3.Locate the line which starts with include none and replace it with the following:
include '
<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>
'
Write and save the changes to the configuration file by entering the following vi commands:
Esc
:wq!
When further prompted to Save Changes (y/n/e) enter y
4.Save the configuration by entering the following tmsh command:
save /sys config
5.Exit the tmsh shell by typing quit and press enter
6.Check if the workaround has been correctly inserted to the configuration, by comparing the output of the following command to the configured LocationMatch fragment inserted in step 3:
grep -C1 'Redirect 404' /etc/httpd/conf/httpd.conf
The output should match:
<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>
Note: You may disregard any leading white spaces
7.To activate the mitigation, restart the httpd service by entering the following command:
restart sys service httpd
And my question is How I verify Temporary workaround has solved the Vulnerability.
You can verify the mitigation is working by visiting this URL:
https://[IP ADDRESS]/tmui/login.jsp/..;/login.jsp
Before mitigation the page will load. After mitigation you will receive a 404 response.
- SubrunCirrostratus
Does this mitigation step impact other Virtual Servers using HTTP Profile ? or any other impact you are aware of ?
No, this is all control plane - not data plane.
- technoparthiNimbostratus
Please check the KB again, the article has been updated
We have seen “Allow Default” for one of the Self IP which carries Production Traffic. If I change it to “Allow None” Service wise what will be the Impact ?
SA https://support.f5.com/csp/article/K17333 talks
about “Overview of port lockdown behaviour” So you need to find out if
there is any port you need to allow. If you must open any ports, you should use Allow Custom.
Regarding 7 mitigation steps for
All network interfaces, It is mentioned in the SA https://support.f5.com/csp/article/K52145254 )
undert “Impact of workaround: Performing the following procedure should not
have a negative impact on your system”
But its important to take note of "Note: If your existing configuration already has
content in the include configuration
(it is no longer the default include none),
you will need to prepend/append your existing included configuration to the
above changes or it will be overwritten."
- SubrunCirrostratus
For Port LockDown thing -- this link ( https://www.youtube.com/watch?v=9OXruCRrEic ) says Port Lock Down has nothing to do with Virtual Server Traffic
Yes you are right. Reason I have shared https://support.f5.com/csp/article/K17333, so that you can verify if your BIGIP needs any port to be opened on self IP which is required. for example ports for any routing protocol, which may also impact production traffic.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com