Yo! @F5Networks @F5Security
https://support.f5.com/csp/article/K58240755 …
This reads awfully like a vulnerability.
Why no CVE?
-
-
This Tweet is unavailable.
-
Replying to @savagejen @cybergibbons and
There was a lot of discussion on this one, but in the end it was not considered a vulnerability. This is deliberate functionality in place due to customer needs to install third party software via APM to enforce requirements for VPN access, etc. Continued...
2 replies 0 retweets 0 likes -
Replying to @megazone @savagejen and
The attack is really in getting a target to install a malicious cert into the trust store, so that the system then will trust and install other code. But we can't know if a cert is legit or not, if it is trusted by Windows then it is trusted to validate code signing.
1 reply 0 retweets 0 likes -
Replying to @megazone @savagejen and
We (F5) agreed it was worth making customers aware of the importance of keeping the trust store, well, trustworthy, which is why that document was published. But the conclusion was that the root of the issue is outside of the F5 product itself.
1 reply 1 retweet 1 like -
Replying to @megazone @savagejen and
If you can compromise the trust store and get a malicious cert trusted then it opens up multiple possibilities of attack. You've undermined code signing as protection at that point.
1 reply 0 retweets 1 like -
Replying to @megazone @savagejen and
Clearly not a black and white issue, and I'm sure not everyone will agree with the conclusion. It wasn't reached lightly, there was a lot of discussion about it. The researcher, T Shiomitsu with Pen Test Partners, was kind enough to work with us to draft the article.
1 reply 0 retweets 1 like -
Replying to @megazone @savagejen and
Intriguing. I'm very familiar with this attack class (worked on IE before a lot of this was locked down) and definitely appreciate your nuance. It's a little fuzzy to me, what *precisely* happens with a non-F5 signed CAB file, using a stock Authenticode signature?
1 reply 0 retweets 0 likes -
Replying to @dakami @savagejen and
I'm not the Windows expert,
@savagejen is an old friend and I responded since she flagged me down, but if the CAB is not F5-signed the user gets prompted with the actual signer. If they proceed then it goes through the standard Windows checks, UAC pops if privileges are required.2 replies 0 retweets 0 likes -
1) "Deliberate functionality" does *not* preclude a designed capability from being CVE-worthy. 2) "UAC pops 𝗶𝗳 𝗽𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲𝘀 𝗮𝗿𝗲 𝗿𝗲𝗾𝘂𝗶𝗿𝗲𝗱" Are you saying that code not requiring admin privileges to be installed can be silently installed using an f5-epi:// URI?
1 reply 0 retweets 2 likes
I dug into this a little bit. Given the flurry of warnings presented to the user before running code in the case I came up with, I can't imagine that this is CVE-worthy. What's it take to run an Office Macro? One button click? And that doesn't have a CVE...pic.twitter.com/8XqdKUZWa2
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.