Friday, September 11, 2015

F5 file path traversal - CVE 2015-4040

Earlier this year while pentesting a customer network, I identified a File Path traversal vulnerability in a F5 Big IP box.

Chris Christian from F5 Security Response Team (SRT) reached out promptly and I shared the details with him.

Chris confirmed yesterday that F5 has now released new version 12.0 that fixes this issue. F5 has also published a Solution Article 17253 describing this path traversal vulnerability, affected devices / versions, impact, resolution & references, recently on Sep 9, 2015.

Read it here:

Disclosure timelines:
April 27, 2015 - Contacted F5 security
April 28, 2015 - Response from F5
September 02, 2015 - version 12.0 released
September 09, 2015 - Solution article 17253 published

Associated CVE-2015-4040 is in progress and will be published shortly has been published.

You can check it out here:

I have also posted a working exploit on Exploit-db and Packetstorm:

More advisories coming soon.


No comments:

Post a Comment


The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.