Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Exchange iApp security issue

I just recently noticed this when troubleshooting exchange. The iApp for exchange 2010_2013 has an iRule for outlook anywhere and activesync when using basic authentication that sets persistence mode to UIE with the "Authorization" header. Code snippet below -

if { [HTTP::header exists "APM_session"] } {
    persist uie [HTTP::header "APM_session"] 7200
} elseif { [string tolower [HTTP::header "Authorization"]] starts_with "basic" } {
    persist uie [HTTP::header "Authorization"] 7200 <------------------------------ Problem right here
} else {
    persist source_addr
}

The problem with this is that the "Authorization" header when using basic auth is that the username and password are in this header as a base64 encoded string. For example -

Basic dGVzdFxqZG9lOnBhc3N3b3JkMTIzCg==

If decoded you will get this -

[user@localhost ~]$ echo "dGVzdFxqZG9lOnBhc3N3b3JkMTIzCg==" | base64 -d
test\jdoe:password123

So the security issue comes in the form that the username and password is used as the persistence record. This record can be viewed by anyone with read access to the LTM via the statistics page where they can grab the base64 encoded blob and get the credentials. For a large company like ours, every application owner has read access to the LTMs which amounts to over 100 people.

I'm surprised the iApp developers did not catch this when making the template.I'm thinking this could be mitigated by using a hash of the "Authorization" header value instead of the raw header value itself.

if { [HTTP::header exists "APM_session"] } {
    persist uie [HTTP::header "APM_session"] 7200
} elseif { [string tolower [HTTP::header "Authorization"]] starts_with "basic" } {
    persist uie [sha1 [HTTP::header "Authorization"]] 7200 <------------------------------ SHA1 hash of the value
} else {
    persist source_addr
}

Hopefully we can see this fixed in the next version of the iApp. Any thought ?

0
Rate this Discussion

Replies to this Discussion

placeholder+image

Hi Eric, it is indeed included in v1.3 of the iApp, which we are in the process of publishing to downloads.f5.com right now.

The workaround you described is included on page 57 of the deployment guide: https://www.f5.com/pdf/deployment-guides/microsoft-exchange-2010-2013-iapp-dg.pdf

thanks

Mike

1
placeholder+image

Cool, Thanks!

0