cancel
Showing results for 
Search instead for 
Did you mean: 

Query regarding Port LockDown and HTTPD Process Update // K52145254

Subrun
Cirrostratus
Cirrostratus

Regarding Temporary Mitigation with Self IP ( https://support.f5.com/csp/article/K52145254 )

 

We have seen “Allow Default” for one of the Self IP which carries Production Traffic. If I change it to “Allow None” Service wise what will be the Impact ?

 

Regarding Temporary Mitigation of All Network Interfaces Section. ( https://support.f5.com/csp/article/K52145254 )

 

Below is a 6 step process specifically talking about modifying HTTPD Process provided at above Doc . SERVICE wise what impact will be if i do below 7 step change. ? I have mostly WEB Services hosted at F5 which mostly use HTTP profile in VIP Configuration. My question will also be if making this 7 step process will impact F5 Traffic ?

 

All network interfaces

To eliminate the ability for unauthenticated attackers to exploit this vulnerability, add a LocationMatch configuration element to httpd. To do so perform the following procedure:

Note: Authenticated users will still be able to exploit the vulnerability, independent of their privilege level.

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

 

  1. Log in to the TMOS Shell (tmsh) by entering the following command:

tmsh

2.Edit the httpd properties by entering the following command:

edit /sys httpd all-properties

 

Note: This will put you into the vi editor

3.Locate the line which starts with include none and replace it with the following:

include '

<LocationMatch ".*\.\.;.*">

Redirect 404 /

</LocationMatch>

'

 

Write and save the changes to the configuration file by entering the following vi commands:

 

Esc

:wq!

 

When further prompted to Save Changes (y/n/e) enter y

4.Save the configuration by entering the following tmsh command:

save /sys config

5.Exit the tmsh shell by typing quit and press enter

 

6.Check if the workaround has been correctly inserted to the configuration, by comparing the output of the following command to the configured LocationMatch fragment inserted in step 3:

 

grep -C1 'Redirect 404' /etc/httpd/conf/httpd.conf

 

The output should match:

    <LocationMatch ".*\.\.;.*">

    Redirect 404 /

    </LocationMatch>

Note: You may disregard any leading white spaces

 

7.To activate the mitigation, restart the httpd service by entering the following command:

restart sys service httpd

 

And my question is How I verify Temporary workaround has solved the Vulnerability.

7 REPLIES 7

Dharminder
F5 SIRT
F5 SIRT

We have seen “Allow Default” for one of the Self IP which carries Production Traffic. If I change it to “Allow None” Service wise what will be the Impact ? 

SA https://support.f5.com/csp/article/K17333 talks

about “Overview of port lockdown behaviour” So you need to find out if

there is any port you need to allow. If you must open any ports, you should use Allow Custom.

 

Regarding 7 mitigation steps for

All network interfaces, It is mentioned in the SA https://support.f5.com/csp/article/K52145254 )

undert “Impact of workaround: Performing the following procedure should not

have a negative impact on your system”

But its important to take note of "Note: If your existing configuration already has

content in the include configuration

(it is no longer the default include none),

you will need to prepend/append your existing included configuration to the

above changes or it will be overwritten."

 

 

 

 

 

For Port LockDown thing -- this link ( https://www.youtube.com/watch?v=9OXruCRrEic ) says Port Lock Down has nothing to do with Virtual Server Traffic

Yes you are right. Reason I have shared https://support.f5.com/csp/article/K17333, so that you can verify if your BIGIP needs any port to be opened on self IP which is required. for example ports for any routing protocol, which may also impact production traffic.

MegaZone
F5 SIRT
F5 SIRT

You can verify the mitigation is working by visiting this URL:

https://[IP ADDRESS]/tmui/login.jsp/..;/login.jsp

Before mitigation the page will load. After mitigation you will receive a 404 response.

Does this mitigation step impact other Virtual Servers using HTTP Profile ? or any other impact you are aware of ?

No, this is all control plane - not data plane.

technoparthi
Nimbostratus
Nimbostratus

Please check the KB again, the article has been updated