ESB-2017.2418 - [Appliance] F5 Products: Denial of service - Remote/unauthenticated 2017-09-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2418
                K14741: OpenSSH vulnerability CVE-2010-5107
                             22 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 Products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2010-5107  

Reference:         ESB-2013.1669.2

Original Bulletin: 
   https://support.f5.com/csp/article/K14741

- --------------------------BEGIN INCLUDED TEXT--------------------

K14741: OpenSSH vulnerability CVE-2010-5107

Security Advisory

Original Publication Date: Oct 11, 2013

Updated Date: Sep 21, 2017

Applies to (see versions):

Security Advisory Description

The default configuration of OpenSSH through 6.1 enforces a fixed time limit 
between establishing a TCP connection and completing a login, which makes it 
easier for remote attackers to cause a denial of service (connection-slot 
exhaustion) by periodically making many new TCP connections. (CVE-2010-5107)

Impact

This issue may limit access to SSH services on the affected BIG-IP system.

Security Advisory Status

F5 Product Development has assigned ID 430799 (BIG-IP and Enterprise Manager)
and ID 431179 (ARX) to this vulnerability. Additionally, BIG-IP iHealth may 
list Heuristic H483011 on the Diagnostics > Identified > High screen.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:


+--------------+-------------------+----------------------+-------------------+
|              |Versions known to  |Versions known to be  |Vulnerable         |
|Product       |be vulnerable      |not vulnerable        |component or       |
|              |                   |                      |feature            |
+--------------+-------------------+----------------------+-------------------+
|              |                   |13.0.0                |                   |
|              |                   |12.1.0 - 12.1.2       |                   |
|BIG-IP LTM    |11.0.0 - 11.6.0    |12.0.0                |SSH                |
|              |10.0.0 - 10.2.4    |11.6.0 HF5 - 11.6.1   |                   |
|              |                   |11.5.4                |                   |
|              |                   |11.4.1 HF9            |                   |
+--------------+-------------------+----------------------+-------------------+
|              |                   |13.0.0                |                   |
|              |                   |12.1.0 - 12.1.2       |                   |
|BIG-IP AAM    |11.4.0 - 11.6.0    |12.0.0                |SSH                |
|              |                   |11.6.0 HF5 - 11.6.1   |                   |
|              |                   |11.5.4                |                   |
|              |                   |11.4.1 HF9            |                   |
+--------------+-------------------+----------------------+-------------------+
|              |                   |13.0.0                |                   |
|              |                   |12.1.0 - 12.1.2       |                   |
|BIG-IP AFM    |11.3.0 - 11.6.0    |12.0.0                |SSH                |
|              |                   |11.6.0 HF5 - 11.6.1   |                   |
|              |                   |11.5.4                |                   |
|              |                   |11.4.1 HF9            |                   |
+--------------+-------------------+----------------------+-------------------+
|              |                   |13.0.0                |                   |
|              |                   |12.1.0 - 12.1.2       |                   |
|BIG-IP        |11.0.0 - 11.6.0    |12.0.0                |SSH                |
|Analytics     |                   |11.6.0 HF5 - 11.6.1   |                   |
|              |                   |11.5.4                |                   |
|              |                   |11.4.1 HF9            |                   |
+--------------+-------------------+----------------------+-------------------+
|              |                   |13.0.0                |                   |
|              |                   |12.1.0 - 12.1.2       |                   |
|BIG-IP APM    |11.0.0 - 11.6.0    |12.0.0         |SSH                       |
|              |10.1.0 - 10.2.4    |11.6.0 HF5 - 11.6.1   |                   |
|              |                   |11.5.4                |                   |
|              |                   |11.4.1 HF9            |                   |
+--------------+-------------------+----------------------+-------------------+
|              |                   |13.0.0                |                   |
|              |                   |12.1.0 - 12.1.2       |                   |
|BIG-IP ASM    |11.0.0 - 11.6.0    |12.0.0         |SSH                       |
|              |10.0.0 - 10.2.4    |11.6.0 HF5 - 11.6.1   |                   |
|              |                   |11.5.4                |                   |
|              |                   |11.4.1 HF9            |                   |
+--------------+-------------------+----------------------+-------------------+
|              |                   |13.0.0                |                   |
|BIG-IP DNS    |None               |12.1.0 - 12.1.2       |None               |
|              |                   |12.0.0         |                          |
+--------------+-------------------+----------------------+-------------------+
|BIG-IP Edge   |11.0.0 - 11.3.0    |None                  |SSH                |
|Gateway       |10.1.0 - 10.2.4    |                      |                   |
+--------------+-------------------+----------------------+-------------------+
|              |11.0.0 - 11.6.0    |11.6.0 HF5 - 11.6.1   |                   |
|BIG-IP GTM    |10.0.0 - 10.2.4    |11.5.4                |SSH                |
|              |                   |11.4.1 HF9            |                   |
+--------------+-------------------+----------------------+-------------------+
|              |                   |13.0.0                |                   |
|              |                   |12.1.0 - 12.1.2       |                   |
|BIG-IP Link   |11.0.0 - 11.6.0    |12.0.0         |SSH                       |
|Controller    |10.0.0 - 10.2.4    |11.6.0 HF5 - 11.6.1   |                   |
|              |                   |11.5.4                |                   |
|              |                   |11.4.1 HF9            |                   |
+--------------+-------------------+----------------------+-------------------+
|              |                   |13.0.0                |                   |
|              |                   |12.1.0 - 12.1.2       |                   |
|BIG-IP PEM    |11.3.0 - 11.6.0    |12.0.0         |SSH                       |
|              |                   |11.6.0 HF5 - 11.6.1   |                   |
|              |                   |11.5.4                |                   |
|              |                   |11.4.1 HF9            |                   |
+--------------+-------------------+----------------------+-------------------+
|BIG-IP PSM    |11.0.0 - 11.4.1    |11.4.1 HF9            |SSH                |
|              |10.0.0 - 10.2.4    |                      |                   |
+--------------+-------------------+----------------------+-------------------+
|BIG-IP        |11.0.0 - 11.3.0    |None                  |SSH                |
|WebAccelerator|10.0.0 - 10.2.4    |                      |                   |
+--------------+-------------------+----------------------+-------------------+
|BIG-IP WOM    |11.0.0 - 11.3.0    |None                  |SSH                |
|              |10.0.0 - 10.2.4    |                      |                   |
+--------------+-------------------+----------------------+-------------------+
|ARX           |6.0.0 - 6.4.0      |None                  |SSH                |
|              |5.0.0 - 5.3.1      |                      |                   |
+--------------+-------------------+----------------------+-------------------+
|Enterprise    |3.0.0 - 3.1.1      |None                  |SSH                |
|Manager       |2.0.0 - 2.3.0      |                      |                   |
+--------------+-------------------+----------------------+-------------------+
|FirePass      |None               |7.0.0                 |None               |
|              |                   |6.0.0 - 6.1.0         |                   |
+--------------+-------------------+----------------------+-------------------+
|BIG-IQ Cloud  |4.0.0 - 4.5.0      |None                  |SSH                |
+--------------+-------------------+----------------------+-------------------+
|BIG-IQ Device |4.2.0 - 4.5.0      |None                  |SSH                |
+--------------+-------------------+----------------------+-------------------+
|BIG-IQ        |4.0.0 - 4.5.0      |None                  |SSH                |
|Security      |                   |                      |                   |
+--------------+-------------------+----------------------+-------------------+


Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable 
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a 
non-vulnerable version, then no upgrade candidate currently exists.

F5 is responding to this vulnerability as determined by the parameters defined
in K4602: Overview of the F5 security vulnerability response policy.

F5 recommends that you allow secure shell (SSH) access to the administrative 
port only from a secure network.

BIG-IP / BIG-IQ mitigation

The default sshd configuration allows for 10 connections to be in an 
unauthenticated state. In this situation, a TCP connection has been 
established, but SSH is waiting for login credentials. This type of 
denial-of-service (DoS) attack ties up network services and prevents others 
from logging in using SSH. To mitigate this vulnerability in the BIG-IP system
and the BIG-IQ system, you can enable random early drop by way of the 
MaxStartups option of the sshd configuration on the system. You enable random
early drop by specifying the three colon-separated values start:rate:full. 
After the number of unauthenticated connection reaches the value specified by
start, sshd will begin to refuse new connections at a percentage specified by
rate. The proportional rate of refused connections then increases linearly as
the limit specified by full is approached, until 100% is reached. At that 
point, all new attempts to connect are refused until the unauthenticated SSH 
session TCP connections time out.

For example, if MaxStartups were configured with the value 10:30:60, then 
after 10 connections pending authentication, sshd would begin to drop 30% of 
the new connections. If unauthenticated connections increase to 60, then 100%
of the new connections are dropped until the backlog subsides.

To enable random early drop, perform the following procedure:

Impact of workaround: Increasing the number of allowed connections in an 
unauthenticated state will increase the amount of memory needed to maintain 
those TCP connections. Use care when increasing these numbers beyond the 
values quoted in the following procedure.

Log in to the Traffic Management Shell (tmsh) by typing the following command:

tmsh

Configure the MaxStartups option using the following command syntax:

modify /sys sshd include 'MaxStartups start:rate:full'

For example, set MaxStartups to 10:30:60 by typing the following command:

modify /sys sshd include 'MaxStartups 10:30:60'

Save the change by typing the following command:

save /sys config

Restart sshd by typing the following command:

restart /sys service sshd

Supplemental Information

K9970: Subscribing to email notifications regarding F5 products

K9957: Creating a custom RSS feed to view new and updated documents

K4918: Overview of the F5 critical issue hotfix policy

K167: Downloading software and firmware from F5

K13123: Managing BIG-IP product hotfixes (11.x - 13.x)

K10025: Managing BIG-IP product hotfixes (10.x)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWcSMi4x+lLeg9Ub1AQjQKA//cKENWqT/fQIb7onCWyFAfmBn5am8pgWp
VJp/NZWv00atVTkQ36hn/1PfZT+MeOJSIoyEzQ0Limt8e+mVc6oURWT8RirbcA5q
0k//utU8xa8PBpuWGnB5WwWwTbWbiGEsm/9pvqDYPUv8o3LE26VRtVatlJKsnO7S
cR1VIs1wpgDIQKVU1l0zONTwXX6OByHgbzzjgu2qRWNkCS0klAzLQLMa7e3wjklD
J6mv30OgOKXqvTKE7orhlV7axfWY57+37qaVVofH6XBeaZjAiggCIxc98BXhGf8O
lEzGHqTrgZnY8VSnbL5QTx8eV0mb1V/MQIrzFU4y6u4CQ1QB8kY0MaMhBCCO6aTo
ZnYJMJPFnn488aY5JWqfW1ukHkit5xWBCYz0FYLBfNWWPhf2JU8K8fV1IU5cdHp9
395irKKhqSX7ssK4GXG+JqCXOolsOfKaaFCPfE2oIkNVkIBTJKuxP7Z5e9/WscDS
FCxL3daH5aHyXBymS1JXmFJYVnpcLZRsPFV6LShVooMDhXcKJg8hZyuxIBoPAzgI
CZzgF6NBkJFD2TtdYAj5cNaTEphbnlXsOjfK82nFeCGfHdM7CyAH2zHbPaNjlnFI
Hty+WjtZUmJT6cEzZUYwKACYEYCZEyhQB9F6Hbbs7W0iaGaIaIqWWPnR0PSSmofg
qeTaPAaO3/c=
=8aSJ
-----END PGP SIGNATURE-----

« Back to bulletins