Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1
Fixed In:
14.0.0
Opened: Oct 12, 2017 Severity: 3-Major
The hidden dos profile /Common/asm-hidden/dos-hidden might be created in a non-Common partition, causing error messages and not bypassing of known search engines. (This profile is created automatically when provisioning ASM.) When this happens: -- An error message appears in /var/log/ltm: - err mcpd[6558]: 01070726:3: DoS Profile Compiled Signatures /Common/asm-hidden/dos-hidden dos-hidden /Common/asm-hidden/ASM-search-engine-Google in partition Common cannot reference DOS application /Common/asm-hidden/dos-hidden dos-hidden in partition partition1 -- The /Common/asm-hidden/dos-hidden profile is saved in the config file of the partition (/config/partitions/<partition>/bigip.conf) instead of /config/bigip.conf.
The impact is that the system does not bypass known Search Engines when sending the JavaScript challenges. Also, on 12.1.x, this error message is written to /var/log/asm: -- err tsconfd[31293]: dcc|ERR|Oct 11 07:14:04.065|31293| [tsconfd::ASMCONFIG_CALL, update dos bot signature] Failed due to ASMConfig exception: 01070726:3: DoS Profile Compiled Signatures /Common/asm-hidden/dos-hidden dos-hidden /Common/asm-hidden/ASM-search-engine-Yandex in partition Common cannot reference DOS application /Common/asm-hidden/dos-hidden dos-hidden in partition partition_1.
This happens when provisioning ASM using the GUI, and the partition (on the top-right corner) is set to any partition other than the Common one. Note: The GUI page 'System :: Resource Provisioning' does not allow changing the partition (it is grayed out). The partition must be changed on a different page, such as Virtual Servers.
To prevent the problem from happening, make sure the Common partition is selected when provisioning ASM. (Change it on a different page to Common, and then come back to the provisioning page and provision ASM. This only works if ASM was not yet provisioned before.) If the problem has already occurred, run the following commands to solve the problem: tmsh delete security dos profile /Common/asm-hidden/dos-hidden tmsh save sys config tmsh load sys config tmsh save sys config
The system now creates the hidden dos profile /Common/asm-hidden/dos-hidden in the Common partition correctly, and correctly bypasses known Search Engines when sending JavaScript challenges.