Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638)
Update In the recent days we have noticed a new exploit variant related to this vulnerability. This new exploit attempts to inject Java code into the file name parameter of the multipart upload request. Figure 1: Request example containing the new exploitation vector. ASM is able to mitigate this new exploit variant using the following user-defined signature: content:"com"; content:"opensymphony"; distance:0; re2:"/\bcom[\.\/]opensymphony\b/"; An official ASM Security Update including this fix has already been released. An advisory has been published regarding a critical 0-day Remote Code Execution vulnerability in Apache Struts. The vulnerability resides in the Apache Jakarta multipart parser and is triggered when it tries to parse the Content-Type header of the HTTP request, allowing remote attackers to execute arbitrary code on the vulnerable server. An exploit for this vulnerability has already beenpublished. Mitigation with Big-IP ASM ASM customers are already protected against this vulnerability. While exploiting this vulnerability attacker will try to send a malicious HTTP multipart request containing multiple Java code injection payloads. Figure 2: An attempt to exploit this vulnerability as it was cought on our honeypot. The exploitation attempt will be detected by many existing Java Code Injection attack signatures and several OS command execution ones. Figure 3:Exploit blocked with Attack Signature (200003459) Figure 4:Exploit blocked with Attack Signature (200003471) Figure 5:Exploit blocked with Attack Signature (200004153) Figure 6:Exploit blocked with Attack Signature (200003450) Figure 7:Exploit blocked with Attack Signature (200003058) Figure 8:Exploit blocked with Attack Signature (200003441) Mitigating with iRules In the event you do not yet have ASM in your toolbelt,F5 has updated the official KB article to include an iRule that will protect your vulnerable web servers behind the BIG-IP. Mitigating the 0-day with F5 Silverline WAF Much like on-prem BIG-IP ASM customers, F5 Silverline WAF customers are already protected against this 0-day vulnerability. The exploitation attempt will be detected by the existing JAVA code injection and command execution attack signatures built within Silverline WAF standard policies. The following is a WAF Policy Violations Search that shows blocked requests that match the Signature IDs representative ofCVE-2017-5638:Solving Secure Mobile Access with F5 and iOS 7 Per app VPN - Part 1
Overview As an F5 engineer out in the field I’m fortunate in the fact that I get to talk with customers about their projects and security concerns. While it probably would not surprise you to learn that Mobility is a key project for many organizations what does surprise me is how many are still using a layer-3 VPN approach on mobile devices. The major problem with this design is that once the VPN is established any application on the mobile platform can now access the corporate network. As we hear more and more about malware on mobile devices it is critical to start protecting corporate infrastructure by limiting access to corporate applications only. With iOS 7 Apple introduced a great way to accomplish this with their Per app VPN. Per app VPN allows iOS to control which applications have access to the VPN tunnel. This gives organizations the ability to designate which applications are corporate apps and treat everything else as personal. Per app VPN also works in Safari with a per-tab level of granularity. So I can have one tab open watching who the Houston Texan’s take in the first round draft (Johnny Manziel of course) and a second tab that is securely connected to my corporate SharePoint site. To take advantage of the iOS Per app VPN functionality Apple requires an Enterprise Mobile Management (EMM) solution to configure the mobile device and an Enterprise VPN solution like F5’s Access Policy Manager. So, if you’re anything like me you’ve scrolled past this text and straight to the pictures below because you need to deploy this ASAP right? We’ll here we go… Configuration The iOS Per app VPN uses F5’s APM SOCKS Proxy functionality so we'll need TMOS 11.4 or higher installed on the BIG-IP and Edge Client 2.0 or higher installed on the mobile device. 1. Create a new Application Policy Profile and select your default language. 2. Customize the Profile's Visual Policy Builder by adding a Client Cert Inspection object and set the successful branch to Allow 3. Create a new LTM Client SSL Profile: set Client Certificate to request set Trusted Certificate Authority to the CA that signed the certificate installed on the iOS device. 4. Create a new LTM Virtual Server: Add your customer Client SSL profile Select your Access Profile Select the default Connectivity Profile of create a custom connectivity profile with default settings Click the VDI & Java Support box to enable SOCKS proxy capabilities User Experience So What does the end result look like? In the example below I tested the Safari per-tab capabilities by clicking the F5 shortcut icon and seamlessly had access to my test web server. Next Steps In Part 2we will walk through how I configured AirWatch to perform the user experience demonstration.
F5 OpenStack LBaaSv1 plugin v1.0.12 released
Release Announcement 12 Feb 2016 We are pleased to announce the release of the v1.0.12 LBaaSv1 plugin for OpenStack Neutron. This release changes our development approach for the "F5 OpenStack product”. It also includes some bug fixes as well as introduces simpler installation instructions to get you up and running quickly. Click here to download the new version. Prior versions of the plugin and agent have supported multiple OpenStack releases. Moving forward, we are moving into alignment with the OpenStack community. All v1.x releases will continue to work on OpenStack Icehouse through Kilo. All v2.x releases will work only on OpenStack Liberty. Both release trains are active and will continue to receive bug fixes. Check out theF5 OpenStack Releases and Support Matrix for more details. We welcome bug reports through ourproject issues pageon GitHub. You can also visit that page to see the list of known issues. More information and downloads for this release are available on thev1.0.12 release pageon GitHub. - The F5 OpenStack Product Team
iBanking Malware Analysis
Co-Authored with Itzik Chimino. --- iBanking is malware that runs on Android mobile devices. It is delivered via a new variant of the computer banking Trojan Qadars, which deceives users into downloading iBanking malware on to their android device. It can be used with any malware used to inject code into a web app. The malware enables cybercriminals to intercept SMS and bypass the two-factor authentication methods used by several banks throughout the world to authorize mobile banking operations. iBanking malware acts as a spy that can also of grab contact lists, steal bank account details, forward incoming voice calls, and record the victim’s voice, which enables it to overcome voice recognition security features that financial institutions are beginning to implement. Cyber criminals ultimately utilize iBanking malware to transparently complete money transfers on behalf of the infected targeted users. How the attack works Focusing specifically on the new variant of iBanking malware that targets Facebook users, the attack begins by infecting users’ devices with the Qadars banking Trojan via a drive-by download from an unsuspecting website. Qadars then intercepts the webpage and uses JavaScript to inject code into the webpage—in this case, a Facebook page—that presents users with a fake verification pop-up page upon initial login. This page requests the victim’s phone number and Android device confirmation. The victim then receives an SMS message on the verified device, which directs him to a page with instructions to download added security. Once the victim installs the iBanking malware, it cannot be removed if it was given admin rights during the install process. Remote control of the infected device Once the malware is activated by the user on his smartphone, the attacker gains administrator permissions on his device. The attacker can now control a vast amount of functions such as: 1. Allows applications to change network connectivity state. 2. Allows an application to send/read SMS messages. 3. Allows an application to automatically start when the system boots. 4. Allows an application read-only access to phone state. 5. Allows an application to access approximate location derived from network location sources such as WiFi and cell antennas. 6. Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed. 7. Allows an application to open network sockets. 8. Allows an application to write to external storage such as modify/delete SD card contents. 9. Allows an application to read the user's contacts data. 10. Allows an application to record audio such as phone calls and voice messages. Click here to read the full technical iBanking Malware Analysis Report by F5 SOC. To read more about F5 Global Security Operation Centers click here.2019 DevCentral MVP Announcement
Congratulations to the 2019 DevCentral MVPs! The DevCentral MVP Award is given to a select group of exemplary people in the technical community who actively engage and share their experience and knowledge with others. We recognize their significant contributions to our community and the larger technical industry, and we want to say thank you. While all of our users collectively make DevCentral one of the top community sites around and a valuable resource for everyone, MVPs regularly go above and beyond in assisting fellow F5 users both on- and offline. It all starts with a single post… MVPs all get badges in their DevCentral profiles so everyone can see that they’re in the presence of greatness (you'll also see it if you hover over their name in a thread). This year’s MVPs will receive a certificate, award, and thank-you gift, access to select Beta programs, and the devout gratitude of the users they've helped as well as the DevCentral team here at F5. The 2019 DevCentral MVPs (by username) are: Andy McGrath Austin Geraci Boneyard De coug Fulmetal Hamish Marson Iaine jaikumar_f5 Jie Gao Jinshu Joel King Joel Newton JTI Kai Wilke Kees van den Bos Kevin Davies Lee Sutcliffe Leonardo Souza Manthey Mark Wall Nathan Britton Nicolas Destor Niels van Sluis Patrik Jonsson Philip Jönsson Piotr Lewandowski Rhazi Youssef Rob_carr Samir Jha Stanislas Piron Tim Rupp Vijay What Lies Beneath Yann Desmaret Make sure to check out theMVP page for more info about the program and the MVPs themselves. DevCentral MVPs – thank you for all your contributions!F5 OpenStack LBaaSv1 plugin v2.0.1 released
Release Announcement 04 Feb 2016 We are pleased to announce the release of the v2.0.1 LBaaSv1 plugin for OpenStack Neutron. This release expands the list of supported OpenStack releases and changes our development approach for the "F5 OpenStack product”. It also includes some bug fixes as well as introduces simpler installation instructions to get you up and running quickly. Prior versions of the plugin and agent have supported multiple OpenStack releases. Moving forward, we are moving into alignment with the OpenStack community. All v1.x releases will continue to work on OpenStack Icehouse through Kilo. All v2.x releases will work only on OpenStack Liberty. Both release trains are active and will continue to receive bug fixes.Check out theF5 OpenStack Releases and Support Matrixfor more details. We welcome bug reports through our project issues page on GitHub. You can also visit that page to see the list of known issues. More information and downloads for this release are available on the v2.0.1 release page on GitHub. - The F5 OpenStack Product TeamDrupal 7.X Services Module Unserialize Vulnerability
An advisory has been published regarding a critical 0-day unauthenticated RCE (Remote Code Execution) vulnerability in the Drupal System. Drupal is a free and open source content-management framework written in PHP, and it provides a back-end framework for at least 2.2% of all Web sites worldwide. The vulnerability resides in the services module of Drupal which is a popular solution for building API’s in order to allow external clients to communicate with Drupal. Drupal’s services module allows enabling the /user/login resource to allow login via JSON or XML. One of the features of Drupal’s services module is that it supports multiple input formats, which the user can specify by setting the Content-Type header of the HTTP request. One of those formats is “application/vnd.php.serialized” which means the user is allowed to send his credentials in a serialized PHP object, which will get unserialized by the Drupal services module. By sending a specially crafted serialized object attackers may trigger a SQL Injection vulnerability, which may later lead to Remote Code Execution. Mitigation with Big-IP ASM ASM customers are already protected against this vulnerability. While exploiting this vulnerability, attackers will try to send a malicious PHP serialized object which contains a SQL Injection payload. The exploitation attempt will be detected by multiple existing PHP Object Serialization and SQL Injection attack signatures. Figure 1:Exploit blocked with Attack Signature (200004188) Figure 2:Exploit blocked with Attack Signature (200000073) Figure 3:Exploit blocked with Attack Signature (200000082)
