Forum Discussion

Subrun's avatar
Subrun
Icon for Cirrostratus rankCirrostratus
Jul 06, 2020

Query regarding Port LockDown and HTTPD Process Update // K52145254

Regarding Temporary Mitigation with Self IP ( https://support.f5.com/csp/article/K52145254 )

 

We have seen “Allow Default” for one of the Self IP which carries Production Traffic. If I change it to “Allow None” Service wise what will be the Impact ?

 

Regarding Temporary Mitigation of All Network Interfaces Section. ( https://support.f5.com/csp/article/K52145254 )

 

Below is a 6 step process specifically talking about modifying HTTPD Process provided at above Doc . SERVICE wise what impact will be if i do below 7 step change. ? I have mostly WEB Services hosted at F5 which mostly use HTTP profile in VIP Configuration. My question will also be if making this 7 step process will impact F5 Traffic ?

 

All network interfaces

To eliminate the ability for unauthenticated attackers to exploit this vulnerability, add a LocationMatch configuration element to httpd. To do so perform the following procedure:

Note: Authenticated users will still be able to exploit the vulnerability, independent of their privilege level.

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

 

  1. Log in to the TMOS Shell (tmsh) by entering the following command:

tmsh

2.Edit the httpd properties by entering the following command:

edit /sys httpd all-properties

 

Note: This will put you into the vi editor

3.Locate the line which starts with include none and replace it with the following:

include '

<LocationMatch ".*\.\.;.*">

Redirect 404 /

</LocationMatch>

'

 

Write and save the changes to the configuration file by entering the following vi commands:

 

Esc

:wq!

 

When further prompted to Save Changes (y/n/e) enter y

4.Save the configuration by entering the following tmsh command:

save /sys config

5.Exit the tmsh shell by typing quit and press enter

 

6.Check if the workaround has been correctly inserted to the configuration, by comparing the output of the following command to the configured LocationMatch fragment inserted in step 3:

 

grep -C1 'Redirect 404' /etc/httpd/conf/httpd.conf

 

The output should match:

    <LocationMatch ".*\.\.;.*">

    Redirect 404 /

    </LocationMatch>

Note: You may disregard any leading white spaces

 

7.To activate the mitigation, restart the httpd service by entering the following command:

restart sys service httpd

 

And my question is How I verify Temporary workaround has solved the Vulnerability.

application delivery
BIG-IP
LTM

7 Replies

Sort By
  • MegaZone's avatar
    MegaZone
    Icon for SIRT rankSIRT
    Jul 07, 2020

    You can verify the mitigation is working by visiting this URL:

    https://[IP ADDRESS]/tmui/login.jsp/..;/login.jsp

    Before mitigation the page will load. After mitigation you will receive a 404 response.

    • Subrun's avatar
      Subrun
      Icon for Cirrostratus rankCirrostratus
      Jul 07, 2020

      Does this mitigation step impact other Virtual Servers using HTTP Profile ? or any other impact you are aware of ?

  • Dharminder's avatar
    Dharminder
    Icon for SIRT rankSIRT
    Jul 07, 2020

    We have seen “Allow Default” for one of the Self IP which carries Production Traffic. If I change it to “Allow None” Service wise what will be the Impact ? 

    SA https://support.f5.com/csp/article/K17333 talks

    about “Overview of port lockdown behaviour” So you need to find out if

    there is any port you need to allow. If you must open any ports, you should use Allow Custom.

     

    Regarding 7 mitigation steps for

    All network interfaces, It is mentioned in the SA https://support.f5.com/csp/article/K52145254 )

    undert “Impact of workaround: Performing the following procedure should not

    have a negative impact on your system”

    But its important to take note of "Note: If your existing configuration already has

    content in the include configuration

    (it is no longer the default include none),

    you will need to prepend/append your existing included configuration to the

    above changes or it will be overwritten."

     

     

     

     

     

    • Subrun's avatar
      Subrun
      Icon for Cirrostratus rankCirrostratus
      Jul 07, 2020

      For Port LockDown thing -- this link ( https://www.youtube.com/watch?v=9OXruCRrEic ) says Port Lock Down has nothing to do with Virtual Server Traffic