ESB-2017.2418.2 - UPDATE [Appliance] F5 Products: Denial of service - Remote/unauthenticated 2019-02-27

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2017.2418.2
                K14741: OpenSSH vulnerability CVE-2010-5107
                             27 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 Products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2010-5107  

Reference:         ESB-2013.1669.2

Original Bulletin: 
   https://support.f5.com/csp/article/K14741

Revision History:  February  27 2019: Updated the status table
                   September 22 2017: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K14741:OpenSSH vulnerability CVE-2010-5107

Security Advisory

Original Publication Date: 11 Oct, 2013

Latest   Publication Date: 27 Feb, 2019

Security Advisory Description

The default configuration of OpenSSH through 6.1 enforces a fixed time limit
between establishing a TCP connection and completing a login, which makes it
easier for remote attackers to cause a denial of service (connection-slot
exhaustion) by periodically making many new TCP connections. (CVE-2010-5107)

Impact

This issue may limit access to SSH services on the affected BIG-IP system.

Security Advisory Status

F5 Product Development has assigned ID 430799 (BIG-IP and Enterprise Manager)
and ID 431179 (ARX) to this vulnerability. Additionally, BIG-IP iHealth may
list Heuristic H483011 on the Diagnostics > Identified > High page.

To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:

+-----------------+------------------+---------------------+------------------+
|                 |Versions known to |Versions known to be |Vulnerable        |
|Product          |be vulnerable     |not vulnerable       |component or      |
|                 |                  |                     |feature           |
+-----------------+------------------+---------------------+------------------+
|                 |11.6.0 - 11.6.0   |13.0.0               |                  |
|                 |HF4               |12.0.0 - 12.1.4      |                  |
|BIG-IP LTM       |11.5.0 - 11.5.3   |11.6.0 HF5 - 11.6.3  |SSH               |
|                 |11.0.0 - 11.4.1   |11.5.4 - 11.5.8      |                  |
|                 |HF8               |11.4.1 HF9           |                  |
|                 |10.0.0 - 10.2.4   |                     |                  |
+-----------------+------------------+---------------------+------------------+
|                 |11.6.0 - 11.6.0   |13.0.0               |                  |
|                 |HF4               |12.0.0 - 12.1.4      |                  |
|BIG-IP AAM       |11.5.0 - 11.5.3   |11.6.0 HF5 - 11.6.3  |SSH               |
|                 |11.4.0 - 11.4.0   |11.5.4 - 11.5.8      |                  |
|                 |HF8               |11.4.1 HF9           |                  |
+-----------------+------------------+---------------------+------------------+
|                 |11.6.0 - 11.6.0   |13.0.0               |                  |
|                 |HF4               |12.0.0 - 12.1.4      |                  |
|BIG-IP AFM       |11.5.0 - 11.5.3   |11.6.0 HF5 - 11.6.3  |SSH               |
|                 |11.3.0 - 11.4.1   |11.5.4 - 11.5.8      |                  |
|                 |HF8               |11.4.1 HF9           |                  |
+-----------------+------------------+---------------------+------------------+
|                 |11.6.0 - 11.6.0   |13.0.0               |                  |
|                 |HF4               |12.0.0 - 12.1.4      |                  |
|BIG-IP Analytics |11.5.0 - 11.5.3   |11.6.0 HF5 - 11.6.3  |SSH               |
|                 |11.0.0 - 11.4.1   |11.5.4 - 11.5.8      |                  |
|                 |HF8               |11.4.1 HF9           |                  |
+-----------------+------------------+---------------------+------------------+
|                 |11.6.0 - 11.6.0   |13.0.0               |                  |
|                 |HF4               |12.0.0 - 12.1.4      |                  |
|BIG-IP APM       |11.5.0 - 11.5.3   |11.6.0 HF5 - 11.6.3  |SSH               |
|                 |11.0.0 - 11.4.1   |11.5.4 - 11.5.8      |                  |
|                 |HF8               |11.4.1 HF9           |                  |
|                 |10.1.0 - 10.2.4   |                     |                  |
+-----------------+------------------+---------------------+------------------+
|                 |11.6.0 - 11.6.0   |13.0.0               |                  |
|                 |HF4               |12.0.0 - 12.1.4      |                  |
|BIG-IP ASM       |11.5.0 - 11.5.3   |11.6.0 HF5 - 11.6.3  |SSH               |
|                 |11.0.0 - 11.4.1   |11.5.4 - 11.5.8      |                  |
|                 |HF8               |11.4.1 HF9           |                  |
|                 |10.0.0 - 10.2.4   |                     |                  |
+-----------------+------------------+---------------------+------------------+
|BIG-IP DNS       |None              |13.0.0               |None              |
|                 |                  |12.0.0 - 12.1.4      |                  |
+-----------------+------------------+---------------------+------------------+
|BIG-IP Edge      |11.0.0 - 11.3.0   |None                 |SSH               |
|Gateway          |10.1.0 - 10.2.4   |                     |                  |
+-----------------+------------------+---------------------+------------------+
|                 |11.6.0 - 11.6.0   |                     |                  |
|                 |HF4               |11.6.0 HF5 - 11.6.3  |                  |
|BIG-IP GTM       |11.5.0 - 11.5.3   |11.5.4 - 11.5.8      |SSH               |
|                 |11.0.0 - 11.4.1   |11.4.1 HF9           |                  |
|                 |HF8               |                     |                  |
|                 |10.0.0 - 10.2.4   |                     |                  |
+-----------------+------------------+---------------------+------------------+
|                 |11.6.0 - 11.6.0   |13.0.0               |                  |
|                 |HF4               |12.0.0 - 12.1.4      |                  |
|BIG-IP Link      |11.5.0 - 11.5.3   |11.6.0 HF5 - 11.6.3  |SSH               |
|Controller       |11.0.0 - 11.4.1   |11.5.4 - 11.5.8      |                  |
|                 |HF8               |11.4.1 HF9           |                  |
|                 |10.0.0 - 10.2.4   |                     |                  |
+-----------------+------------------+---------------------+------------------+
|                 |11.6.0 - 11.6.0   |13.0.0               |                  |
|                 |HF4               |12.0.0 - 12.1.4   |                  |
|BIG-IP PEM       |11.5.0 - 11.5.3   |11.6.0 HF5 - 11.6.3  |SSH               |
|                 |11.3.0 - 11.4.1   |11.5.4 - 11.5.8      |                  |
|                 |HF8               |11.4.1 HF9           |                  |
+-----------------+------------------+---------------------+------------------+
|                 |11.0.0 - 11.4.1   |                     |                  |
|BIG-IP PSM       |HF8               |11.4.1 HF9           |SSH               |
|                 |10.0.0 - 10.2.4   |                     |                  |
+-----------------+------------------+---------------------+------------------+
|BIG-IP           |11.0.0 - 11.3.0   |None                 |SSH               |
|WebAccelerator   |10.0.0 - 10.2.4   |                     |                  |
+-----------------+------------------+---------------------+------------------+
|BIG-IP WOM       |11.0.0 - 11.3.0   |None                 |SSH               |
|                 |10.0.0 - 10.2.4   |                     |                  |
+-----------------+------------------+---------------------+------------------+
|ARX              |6.0.0 - 6.4.0     |None                 |SSH               |
|                 |5.0.0 - 5.3.1     |                     |                  |
+-----------------+------------------+---------------------+------------------+
|Enterprise       |3.0.0 - 3.1.1     |None                 |SSH               |
|Manager          |2.0.0 - 2.3.0     |                     |                  |
+-----------------+------------------+---------------------+------------------+
|FirePass         |None              |7.0.0                |None              |
|                 |                  |6.0.0 - 6.1.0        |                  |
+-----------------+------------------+---------------------+------------------+
|BIG-IQ           |                  |6.0.0 - 6.1.0        |                  |
|Centralized      |4.6.0             |5.0.0 - 5.4.0        |SSH               |
|Management       |                  |                     |                  |
+-----------------+------------------+---------------------+------------------+
|BIG-IQ Cloud     |4.0.0 - 4.5.0     |None                 |SSH               |
+-----------------+------------------+---------------------+------------------+
|BIG-IQ Device    |4.2.0 - 4.5.0     |None                 |SSH               |
+-----------------+------------------+---------------------+------------------+
|BIG-IQ Security  |4.0.0 - 4.5.0     |None                 |SSH               |
+-----------------+------------------+---------------------+------------------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.

F5 recommends that you allow SSH access to the administrative port only from a
secure network.

BIG-IP and BIG-IQ mitigation

The default sshd configuration allows for 10 connections to be in an
unauthenticated state. In this situation, a TCP connection has been
established, but SSH is waiting for login credentials. This type of
denial-of-service (DoS) attack ties up network services and prevents others
from logging in using SSH. To mitigate this vulnerability in the BIG-IP system
and the BIG-IQ system, you can enable random early drop by way of the
MaxStartups option of the sshd configuration on the system. You enable random
early drop by specifying the three colon-separated values start:rate:full.
After the number of unauthenticated connections reaches the value specified by
start, sshd will begin to refuse new connections at a percentage specified by
rate. The proportional rate of refused connections then increases linearly as
the limit specified by full is approached, until 100% is reached. At that
point, all new attempts to connect are refused until the unauthenticated SSH
session TCP connections time out.

For example, if MaxStartups is configured with the value 10:30:60, then after
10 connections pending authentication, sshd would begin to drop 30% of the new
connections. If unauthenticated connections increase to 60, then 100% of the
new connections are dropped until the backlog subsides.

To enable random early drop, perform the following procedure:

Impact of workaround: Increasing the number of allowed connections in an
unauthenticated state increases the amount of memory needed to maintain those
TCP connections. Use care when increasing these numbers beyond the values
quoted in the following procedure.

 1. Log in to the Traffic Management Shell (tmsh) by typing the following
    command:

    tmsh

 2. Configure the MaxStartups option using the following command syntax:

    modify /sys sshd include 'MaxStartups start:rate:full'

    For example, set MaxStartups to 10:30:60 by typing the following command:

    modify /sys sshd include 'MaxStartups 10:30:60'

 3. Save the change by typing the following command:

    save /sys config

 4. Restart sshd by typing the following command:

    restart /sys service sshd

Supplemental Information

o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K167: Downloading software and firmware from F5
  o K13123: Managing BIG-IP product hotfixes (11.x - 13.x)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXHYCSmaOgq3Tt24GAQiD9w/+KpCHi7vDn7fmdV5BXjhp62q9K1y4AsF/
oqSxcNmgjPzwf07VezOtN+lBgk5iB1f7Rd8Hg09ZXbkynKjRn1cK2Tz0lMFzcEo7
HT9AT3CoNxe2BxnXiQOeib5uUIDjVamJkFTFIMnCvaRufdUsL75theUkefgiE0I8
3hdvEC62VoduiEijmlqvvd+lFsJS+JB7OqVaeSIt+T8tN7UkHqrXdGmCWuZChKP3
CAWdC2Id/XJVk5yC70pk0jGq5pzOEs8/dNS6KKNwiI8irrZt4OzcmOOZ5mH9Tb02
9GFs3fPWoDjLxQhuDeaiorMKzzTS+4+1A99oD2qDYwAsBxJZhZzeHTEx6nLKztaK
OTi9pP+j8maPRycaCk+Eo596TO1xeA/VCyhhgBLzYKdj5wrqTzk5RuB6muk8pKog
xWogI7moXSvYIJE/YAVwTUQ3FP/u4vBIWQrV1XXV50ixrkoOEpXvDE3nSDkoYM7j
1QfE+gkUzG3sPwNOYLUKGWEGkSZZzM3v4pKR92MjleOVthUnEzRzo2toT4CR93DO
j+EWkyYYoCjDW3Vh1Gd7C7aN+l/aaRdt+kTg1BDeotO7ybHM0xYJS7L2+EBp8DzH
D6pnn+LryplzfpKs/fSeeLOLgvVpyyvl8/MWU9lUT9CrerPrDjXborSg0gNoF7XM
SR+X1aPm9/g=
=MoAV
-----END PGP SIGNATURE-----

« Back to bulletins