| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 4 May 2014 18:37:44 +0000 From: Jeff Costlow <j.costlow@...com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] F5 BIG-IQ authed arbitrary user password change This issue has been fixed in all releases after BIG-IQ 4.1, including 4.2 and 4.3. Please see F5¹s technical solution at http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15229.html BIG-IQ 4.1 was in limited release and customers had already been asked to upgrade. No versions of BIG-IP are vulnerable. Please use security-reporting@...com for any further reports. This email address can be found by searching for ³security² at http://ask.f5.com. http://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html Thanks. On Thu, May 1, 2014 at 5:10 PM, Brandon Perry <bperry.volatile () gmail com>wrote: >Hi, > >Detailed at this blog post (with pics!) is a vulnerability within F5 >BIG-IQ >4.1.0.2013.0. > >http://volatile-minds.blogspot.com/2014/05/f5-big-iq-v41020130-authenticat >ed.html > >A module for this will be uploaded to ExploitHub this evening that will >change the root users password and log in over SSH. > >Tune in next week for even more F5 fun! > >-- >http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> >-- blog >http://www.volatileminds.net <http://www.volatileminds.net/> -- website _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists