F5 Big-IP - rsync Access

EDB-ID:

34465




Platform:

Hardware

Date:

2014-08-29


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

When configured in a high availability mode, the F5 solution suffers from an unauthenticated rsync access vulnerability that can be leveraged to upload a malicious SSH key and gain remote root access to the appliance.
The BigIP platform configures an rsync daemon listening on the ConfigSync interfaces when the system is configured in a failover mode. The rsync daemon as currently configured does not require any authentication and the “cmi” module has complete read/write access to the system. If the ConfigSync IP addresses are accessible by a malicious third party, it is possible to upload an authorized_keys file directly into the /var/ssh/root directory and then open a root SSH session on the f5 device.

Advisory: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/34465.pdf