Rewterz Threat Advisory – CVE-2016-8618 – F5 Multiple BIG-IP Products libcurl Vulnerability

Severity

Medium

Analysis Summary

A vulnerability in multiple F5 BIG-IP products can be exploited by malicious people to compromise a vulnerable system.

The libcurl API function called curl_maprintf() before version 7.51.0 can be tricked into doing a double-free due to an unsafe size_t multiplication, on systems using 32 bit size_t variables.

A custom monitor or script that calls the curl command may allow unauthorized disclosure of information, unauthorized modification, and disruption of service. The big3d process, which includes the libcurl library, may allow unauthorized disclosure of information, unauthorized modification, and disruption of service.

Impact

System Access
Information Disclosure

Affected Products

• BIG-IP LTM versions 13.0.0 through 13.0.1
• 12.0.0 through 12.1.4
• 11.4.0 through 11.6.3
• and 11.2.1
• BIG-IP AAM versions 12.0.0 through 12.1.4 and 11.4.0 through 11.6.3
• BIG-IP AFM versions 13.0.0 through 13.0.1 and 11.4.0 through 11.6.3
• BIG-IP Analytics versions 12.0.0 through 12.1.4
• BIG-IP APM versions 13.0.0 through 13.0.1
• BIG-IP ASM versions 13.0.0 through 13.0.1
• BIG-IP DNS versions 12.0.0 through 12.1.4
• BIG-IP Edge Gateway version 11.2.1
• BIG-IP GTM versions 11.4.0 through 11.6.3 and 11.2.1
• BIG-IP Link Controller versions 12.0.0 through 12.1.4
• BIG-IP PEM versions 12.0.0 through 12.1.4 and 11.4.0 through 11.6.3
• BIG-IP PSM versions 11.4.0 through 11.4.1
• BIG-IP WebAccelerator version 11.2.1
• BIG-IP WebSafe versions 12.0.0 through 12.1.4 and 11.6.0 through 11.6.3

Remediation

Update or upgrade to a fixed version if available.
BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe: Update or upgrade to version 13.1.0.