ESB-2017.2707.4 - UPDATE [Appliance] F5 products: Denial of service - Remote/unauthenticated 2019-03-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2017.2707.4
        K57211290: IPv6 fragmentation vulnerability CVE-2016-10142
                               13 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-10142  

Reference:         ESB-2017.0960
                   ESB-2017.0757

Original Bulletin: 
   https://support.f5.com/csp/article/K57211290

Revision History:  March    13 2019: Updated product table
                   March     1 2019: Updated security advisory status table
                   February 27 2019: Updated security advisory status table
                   October  26 2017: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K57211290:IPv6 fragmentation vulnerability CVE-2016-10142

Security Advisory

Original Publication Date: 13 Jul, 2017

Latest   Publication Date: 13 Mar, 2019

Security Advisory Description

An issue was discovered in the IPv6 protocol specification, related to ICMP
Packet Too Big (PTB) messages. (The scope of this CVE is all affected IPv6
implementations from all vendors.) The security implications of IP
fragmentation have been discussed at length in [RFC6274] and [RFC7739]. An
attacker can leverage the generation of IPv6 atomic fragments to trigger the
use of fragmentation in an arbitrary IPv6 flow (in scenarios in which actual
fragmentation of packets is not needed) and can subsequently perform any type
of fragmentation-based attack against legacy IPv6 nodes that do not implement
[RFC6946]. That is, employing fragmentation where not actually needed allows
for fragmentation-based attack vectors to be employed, unnecessarily. We note
that, unfortunately, even nodes that already implement [RFC6946] can be subject
to DoS attacks as a result of the generation of IPv6 atomic fragments. Let us
assume that Host A is communicating with Host B and that, as a result of the
widespread dropping of IPv6 packets that contain extension headers (including
fragmentation) [RFC7872], some intermediate node filters fragments between Host
B and Host A. If an attacker sends a forged ICMPv6 PTB error message to Host B,
reporting an MTU smaller than 1280, this will trigger the generation of IPv6
atomic fragments from that moment on (as required by [RFC2460]). When Host B
starts sending IPv6 atomic fragments (in response to the received ICMPv6 PTB
error message), these packets will be dropped, since we previously noted that
IPv6 packets with extension headers were being dropped between Host B and Host
A. Thus, this situation will result in a DoS scenario. Another possible
scenario is that in which two BGP peers are employing IPv6 transport and they
implement Access Control Lists (ACLs) to drop IPv6 fragments (to avoid
control-plane attacks). If the aforementioned BGP peers drop IPv6 fragments but
still honor received ICMPv6 PTB error messages, an attacker could easily attack
the corresponding peering session by simply sending an ICMPv6 PTB message with
a reported MTU smaller than 1280 bytes. Once the attack packet has been sent,
the aforementioned routers will themselves be the ones dropping their own
traffic. (CVE-2016-10142)

Impact

A remote attacker may be able to cause a denial of service (DoS) by sending
crafted IPv6 packets.

Security Advisory Status

F5 Product Development has assigned IDs 652516 (BIG-IP - control plane) and
671813 (BIG-IP - data plane), ID 669855 (BIG-IQ), ID 673039 (F5 iWorkflow), and
ID 669854 (Enterprise Manager) to this vulnerability. Additionally, BIG-IP
iHealth may list Heuristic H57211290-1 and H57211290-2 on the Diagnostics >
Identified > High page.

To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table.

+--------------+------------+--------------+----------+-----------------------+
|              |Versions    |Versions known|          |Vulnerable component or|
|Product       |known to be |to be not     |Severity  |feature                |
|              |vulnerable  |vulnerable    |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |13.0.0 -      |          |                       |
|              |12.1.2      |13.1.1        |          |                       |
|              |11.6.0 -    |12.1.3 -      |          |Linux kernel - Control |
|              |11.6.1      |12.1.4        |High      |Plane (Management IPv6 |
|              |11.4.1 -    |11.6.2 -      |          |addresses)             |
|              |11.5.4      |11.6.3        |          |                       |
|              |11.2.1      |11.5.5 -      |          |                       |
|BIG-IP LTM    |            |11.5.8        |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |            |13.1.1        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.8      |12.1.4        |High      |Plane (TMM IPv6        |
|              |11.2.1      |11.6.0 -      |          |addresses)             |
|              |            |11.6.3        |          |                       |
|              |            |11.5.9        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |12.0.0 -    |13.1.1        |          |                       |
|              |12.1.2      |12.1.3 -      |          |Linux kernel - Control |
|              |11.6.0 -    |12.1.4        |High      |Plane (Management IPv6 |
|              |11.6.1      |11.6.2 -      |          |addresses)             |
|              |11.4.1 -    |11.6.3        |          |                       |
|              |11.5.4      |11.5.5 -      |          |                       |
|BIG-IP AAM    |            |11.5.8        |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |            |13.1.1        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.8      |12.1.4        |High      |Plane (TMM IPv6        |
|              |            |11.6.0 -      |          |addresses)             |
|              |            |11.6.3        |          |                       |
|              |            |11.5.9        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |12.0.0 -    |13.1.1        |          |                       |
|              |12.1.2      |12.1.3 -      |          |Linux kernel - Control |
|              |11.6.0 -    |12.1.4        |High      |Plane (Management IPv6 |
|              |11.6.1      |11.6.2 -      |          |addresses)             |
|              |11.4.1 -    |11.6.3        |          |                       |
|              |11.5.4      |11.5.5 -      |          |                       |
|BIG-IP AFM    |            |11.5.8        |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |            |13.1.0        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.8      |12.1.3        |High      |Plane (TMM IPv6        |
|              |            |11.6.0 -      |          |addresses)             |
|              |            |11.6.3        |          |                       |
|              |            |11.5.9        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |13.0.0 -      |          |                       |
|              |12.1.2      |13.1.1        |          |                       |
|              |11.6.0 -    |12.1.3 -      |          |Linux kernel - Control |
|              |11.6.1      |12.1.4        |High      |Plane (Management IPv6 |
|              |11.4.1 -    |11.6.2 -      |          |addresses)             |
|              |11.5.4      |11.6.3        |          |                       |
|              |11.2.1      |11.5.5 -      |          |                       |
|BIG-IP        |            |11.5.8        |          |                       |
|Analytics     +------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |            |13.1.0        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.8      |12.1.3        |High      |Plane (TMM IPv6        |
|              |11.2.1      |11.6.0 -      |          |addresses)             |
|              |            |11.6.3        |          |                       |
|              |            |11.5.9        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |13.0.0 -      |          |                       |
|              |12.1.2      |13.1.1        |          |                       |
|              |11.6.0 -    |12.1.3 -      |          |Linux kernel - Control |
|              |11.6.1      |12.1.4        |High      |Plane (Management IPv6 |
|              |11.4.1 -    |11.6.2 -      |          |addresses)             |
|              |11.5.4      |11.6.3        |          |                       |
|              |11.2.1      |11.5.5 -      |          |                       |
|BIG-IP APM    |            |11.5.8        |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |            |13.1.0        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.8      |12.1.3        |High      |Plane (TMM IPv6        |
|              |11.2.1      |11.6.0 -      |          |addresses)             |
|              |            |11.6.3        |          |                       |
|              |            |11.5.9        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |13.0.0 -      |          |                       |
|              |12.1.2      |13.1.1        |          |                       |
|              |11.6.0 -    |12.1.3 -      |          |Linux kernel - Control |
|BIG-IP ASM    |11.6.1      |12.1.4        |High      |Plane (Management IPv6 |
|              |11.4.1 -    |11.6.2 -      |          |addresses)             |
|              |11.5.4      |11.6.3        |          |                       |
|              |11.2.1      |11.5.5 -      |          |                       |
|              |            |11.5.8        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |            |13.1.0        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.8      |12.1.3        |High      |Plane (TMM IPv6        |
|              |11.2.1      |11.6.0 -      |          |addresses)             |
|              |            |11.6.3        |          |                       |
|              |            |11.5.9        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |Linux kernel - Control |
|              |12.0.0 -    |13.1.1        |High      |Plane (Management IPv6 |
|              |12.1.2      |12.1.3 -      |          |addresses)             |
|              |            |12.1.4        |          |                       |
|BIG-IP DNS    +------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |None        |13.1.1        |Not       |None                   |
|              |            |12.0.0 -      |vulnerable|                       |
|              |            |12.1.4        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |            |              |          |Linux kernel - Control |
|              |11.2.1      |None          |High      |Plane (Management IPv6 |
|BIG-IP Edge   |            |              |          |addresses)             |
|Gateway       +------------+--------------+----------+-----------------------+
|              |            |              |          |Linux kernel - Data    |
|              |11.2.1      |None          |High      |Plane (TMM IPv6        |
|              |            |              |          |addresses)             |
+--------------+------------+--------------+----------+-----------------------+
|              |11.6.0 -    |11.6.2 -      |          |                       |
|              |11.6.1      |11.6.3        |          |Linux kernel - Control |
|              |11.4.1 -    |11.5.5 -      |High      |Plane (Management IPv6 |
|              |11.5.4      |11.5.8        |          |addresses)             |
|BIG-IP GTM    |11.2.1      |              |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |11.4.1 -    |11.6.0 -      |          |Linux kernel - Data    |
|              |11.5.8      |11.6.3        |High      |Plane (TMM IPv6        |
|              |11.2.1      |11.5.9        |          |addresses)             |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |13.0.0 -      |          |                       |
|              |12.1.2      |13.1.1        |          |                       |
|              |11.6.0 -    |12.1.3 -      |          |Linux kernel - Control |
|              |11.6.1      |12.1.4        |High      |Plane (Management IPv6 |
|              |11.4.1 -    |11.6.2 -      |          |addresses)             |
|              |11.5.4      |11.6.3        |          |                       |
|              |11.2.1      |11.5.5 -      |          |                       |
|BIG-IP Link   |            |11.5.8        |          |                       |
|Controller    +------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |            |13.1.1        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.8      |12.1.4        |High      |Plane (TMM IPv6        |
|              |11.2.1      |11.6.0 -      |          |addresses)             |
|              |            |11.6.3        |          |                       |
|              |            |11.5.9        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |12.0.0 -    |13.1.1        |          |                       |
|              |12.1.2      |12.1.3 -      |          |Linux kernel - Control |
|              |11.6.0 -    |12.1.4        |High      |Plane (Management IPv6 |
|              |11.6.1      |11.6.2 -      |          |addresses)             |
|              |11.4.0 -    |11.6.3        |          |                       |
|              |11.5.4      |11.5.5 -      |          |                       |
|BIG-IP PEM    |            |11.5.8        |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |            |13.1.1        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.8      |12.1.4        |High      |Plane (TMM IPv6        |
|              |            |11.6.0 -      |          |addresses)             |
|              |            |11.6.3        |          |                       |
|              |            |11.5.9        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |            |              |          |Linux kernel - Control |
|              |11.4.1      |None          |High      |Plane (Management IPv6 |
|              |            |              |          |addresses)             |
|BIG-IP PSM    +------------+--------------+----------+-----------------------+
|              |            |              |          |Linux kernel - Data    |
|              |11.4.1      |None          |High      |Plane (TMM IPv6        |
|              |            |              |          |addresses)             |
+--------------+------------+--------------+----------+-----------------------+
|              |            |              |          |Linux kernel - Control |
|              |11.2.1      |None          |High      |Plane (Management IPv6 |
|BIG-IP        |            |              |          |addresses)             |
|WebAccelerator+------------+--------------+----------+-----------------------+
|              |            |              |          |Linux kernel - Data    |
|              |11.2.1      |None          |High      |Plane (TMM IPv6        |
|              |            |              |          |addresses)             |
+--------------+------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |12.0.0 -    |13.1.1        |          |Linux kernel - Control |
|              |12.1.2      |12.1.3 -      |High      |Plane (Management IPv6 |
|              |11.6.0 -    |12.1.4        |          |addresses)             |
|              |11.6.1      |11.6.2 -      |          |                       |
|              |            |11.6.3        |          |                       |
|BIG-IP WebSafe+------------+--------------+----------+-----------------------+
|              |            |13.0.0 -      |          |                       |
|              |            |13.1.1        |          |                       |
|              |None        |12.0.0 -      |Not       |None                   |
|              |            |12.1.4        |vulnerable|                       |
|              |            |11.6.0 -      |          |                       |
|              |            |11.6.3        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|ARX           |None        |6.4.0         |Not       |None                   |
|              |            |              |vulnerable|                       |
+--------------+------------+--------------+----------+-----------------------+
|Enterprise    |            |              |          |Linux kernel -         |
|Manager       |3.1.1       |None          |High      |Management IPv6        |
|              |            |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|              |4.4.0 -     |              |          |Linux kernel -         |
|BIG-IQ Cloud  |4.5.0       |None          |High      |Management IPv6        |
|              |            |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|              |4.4.0 -     |              |          |Linux kernel -         |
|BIG-IQ Device |4.5.0       |None          |High      |Management IPv6        |
|              |            |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|BIG-IQ        |4.4.0 -     |              |          |Linux kernel -         |
|Security      |4.5.0       |None          |High      |Management IPv6        |
|              |            |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|              |            |              |          |Linux kernel -         |
|BIG-IQ ADC    |4.5.0       |None          |High      |Management IPv6        |
|              |            |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|              |6.0.0 -     |              |          |                       |
|BIG-IQ        |6.1.0       |              |          |Linux kernel -         |
|Centralized   |5.0.0 -     |None          |High      |Management IPv6        |
|Management    |5.4.0       |              |          |addresses              |
|              |4.6.0       |              |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|BIG-IQ Cloud  |            |              |          |Linux kernel -         |
|and           |1.0.0       |None          |High      |Management IPv6        |
|Orchestration |            |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|              |2.0.0 -     |              |          |Linux kernel -         |
|F5 iWorkflow  |2.3.0       |None          |High      |Management IPv6        |
|              |            |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|LineRate      |None        |2.5.0 - 2.6.2 |Not       |None                   |
|              |            |              |vulnerable|                       |
+--------------+------------+--------------+----------+-----------------------+
|Traffix SDC   |5.0.0       |5.1.0         |Medium    |Linux kernel           |
|              |4.4.0       |              |          |                       |
+--------------+------------+--------------+----------+-----------------------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.

To determine the necessary upgrade path for your BIG-IQ system, you should
understand the BIG-IQ product offering name changes. For more information,
refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems
.

Mitigation

None

Supplemental Information

  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K167: Downloading software and firmware from F5

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXIin8GaOgq3Tt24GAQiTpw//eo4av2licRGyfptKlfffpZxGHwl56o6S
n0xbEFcVY1W/V2gE8gSuDfD8EDlpxG3QQ/LS8yOHEmOdBUjt7rGxnKrRqNcrBoR4
mWx5ft55izaAiGi1aH/dl6WE+vwO1t4tvrqKb7W9Q2V0YOor11x8QEIHlJLWO1er
t6msC0YppzUw/k0AYPxxtATd33qtkiUFb5CRPfKnHjoXyzy+1l+dbEKbsbIdcW5P
YpZYU5EqX9/f+KARnF9RG0ASJ/HHjfrOXHOKFPEJHyu2tgcxUUiZ6UG6crD/b0a5
nxuKkuMUtue6a3k83soVslqUFWdH5lNu/IT6z9RA8Pns4zNepFdQHv1C4BEGcOTf
RmrSes/2W6uBs0X9n1zA4ab9r0NKVzWhrMbWLVSFuvVBieekVh2KJn2M1ySzPSnf
K4SWYo5AXlTvLmAF3mxRswUydsBhTK9NN5NKq04e7lsZ9ZX62zcLzs7hIfwbnajj
mssh0OZOMCZ8BHFsYHfRReKB1CEMRmuShmVcG+7RvEEPxf5o9tt+Il0e0Ujgjxjx
947qmAvkjwQZfqqGFO+OKQeh3Jpqf7dq/w6HiFjUNFSXje/D1OYeQgiXnrsItYOH
+oW4t2ZNh44dAwTq0540Z85ElSG83RYEu9q/SpJmxdvIK+pZE+OCZSVaI8DqrRfL
Yop+1OcOJNk=
=q0mR
-----END PGP SIGNATURE-----

« Back to bulletins