ESB-2017.2707 - [Appliance] F5 products: Denial of service - Remote/unauthenticated 2017-10-26

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2707
        K57211290: IPv6 fragmentation vulnerability CVE-2016-10142
                              26 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-10142  

Reference:         ESB-2017.0960
                   ESB-2017.0757

Original Bulletin: 
   https://support.f5.com/csp/article/K57211290

- --------------------------BEGIN INCLUDED TEXT--------------------

K57211290: IPv6 fragmentation vulnerability CVE-2016-10142

Security Advisory

Original Publication Date: Jul 13, 2017

Updated Date: Oct 25, 2017

Security Advisory Description

An issue was discovered in the IPv6 protocol specification, related to ICMP
Packet Too Big (PTB) messages. (The scope of this CVE is all affected IPv6
implementations from all vendors.) The security implications of IP
fragmentation have been discussed at length in [RFC6274] and [RFC7739]. An
attacker can leverage the generation of IPv6 atomic fragments to trigger the
use of fragmentation in an arbitrary IPv6 flow (in scenarios in which actual
fragmentation of packets is not needed) and can subsequently perform any type
of fragmentation-based attack against legacy IPv6 nodes that do not implement
[RFC6946]. That is, employing fragmentation where not actually needed allows
for fragmentation-based attack vectors to be employed, unnecessarily. We note
that, unfortunately, even nodes that already implement [RFC6946] can be subject
to DoS attacks as a result of the generation of IPv6 atomic fragments. Let us
assume that Host A is communicating with Host B and that, as a result of the
widespread dropping of IPv6 packets that contain extension headers (including
fragmentation) [RFC7872], some intermediate node filters fragments between Host
B and Host A. If an attacker sends a forged ICMPv6 PTB error message to Host B,
reporting an MTU smaller than 1280, this will trigger the generation of IPv6
atomic fragments from that moment on (as required by [RFC2460]). When Host B
starts sending IPv6 atomic fragments (in response to the received ICMPv6 PTB
error message), these packets will be dropped, since we previously noted that
IPv6 packets with extension headers were being dropped between Host B and Host
A. Thus, this situation will result in a DoS scenario. Another possible
scenario is that in which two BGP peers are employing IPv6 transport and they
implement Access Control Lists (ACLs) to drop IPv6 fragments (to avoid
control-plane attacks). If the aforementioned BGP peers drop IPv6 fragments but
still honor received ICMPv6 PTB error messages, an attacker could easily attack
the corresponding peering session by simply sending an ICMPv6 PTB message with
a reported MTU smaller than 1280 bytes. Once the attack packet has been sent,
the aforementioned routers will themselves be the ones dropping their own
traffic. (CVE-2016-10142)

Impact

A remote attacker may be able to cause a denial of service (DoS) by sending
crafted IPv6 packets.

Security Advisory Status

F5 Product Development has assigned IDs 652516 (BIG-IP - control plane) and
671813 (BIG-IP - data plane), ID 669855 (BIG-IQ), ID 673039 (F5 iWorkflow), and
ID 669854 (Enterprise Manager) to this vulnerability. Additionally, BIG-IP
iHealth may list Heuristic H57211290-1 and H57211290-2 on the Diagnostics >
Identified > High screen.

To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:

+--------------+------------+--------------+----------+-----------------------+
|              |Versions    |Versions known|          |Vulnerable component or|
|Product       |known to be |to be not     |Severity  |feature                |
|              |vulnerable  |vulnerable    |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |              |          |                       |
|              |12.1.2      |              |          |                       |
|              |11.6.0 -    |13.0.0        |          |Linux kernel - Control |
|              |11.6.1      |11.5.5        |High      |Plane (Management IPv6 |
|              |11.4.1 -    |              |          |addresses)             |
|              |11.5.4      |              |          |                       |
|BIG-IP LTM    |11.2.1      |              |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |            |13.0.0        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.5      |12.1.2        |High      |Plane (TMM IPv6        |
|              |11.2.1      |11.6.0 -      |          |addresses)             |
|              |            |11.6.1        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |              |          |                       |
|              |12.1.2      |              |          |Linux kernel - Control |
|              |11.6.0 -    |13.0.0        |High      |Plane (Management IPv6 |
|              |11.6.1      |11.5.5        |          |addresses)             |
|              |11.4.1 -    |              |          |                       |
|BIG-IP AAM    |11.5.4      |              |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |            |13.0.0        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.5      |12.1.2        |High      |Plane (TMM IPv6        |
|              |            |11.6.0 -      |          |addresses)             |
|              |            |11.6.1        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |              |          |                       |
|              |12.1.2      |              |          |Linux kernel - Control |
|              |11.6.0 -    |13.0.0        |High      |Plane (Management IPv6 |
|              |11.6.1      |11.5.5        |          |addresses)             |
|              |11.4.1 -    |              |          |                       |
|BIG-IP AFM    |11.5.4      |              |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |            |13.0.0        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.5      |12.1.2        |High      |Plane (TMM IPv6        |
|              |            |11.6.0 -      |          |addresses)             |
|              |            |11.6.1        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |              |          |                       |
|              |12.1.2      |              |          |                       |
|              |11.6.0 -    |13.0.0        |          |Linux kernel - Control |
|              |11.6.1      |11.5.5        |High      |Plane (Management IPv6 |
|              |11.4.1 -    |              |          |addresses)             |
|BIG-IP        |11.5.4      |              |          |                       |
|Analytics     |11.2.1      |              |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |            |13.0.0        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.5      |12.1.2        |High      |Plane (TMM IPv6        |
|              |11.2.1      |11.6.0 -      |          |addresses)             |
|              |            |11.6.1        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |              |          |                       |
|              |12.1.2      |              |          |                       |
|              |11.6.0 -    |13.0.0        |          |Linux kernel - Control |
|              |11.6.1      |11.5.5        |High      |Plane (Management IPv6 |
|              |11.4.1 -    |              |          |addresses)             |
|              |11.5.4      |              |          |                       |
|BIG-IP APM    |11.2.1      |              |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |            |13.0.0        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.5      |12.1.2        |High      |Plane (TMM IPv6        |
|              |11.2.1      |11.6.0 -      |          |addresses)             |
|              |            |11.6.1        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |              |          |                       |
|              |12.1.2      |              |          |                       |
|              |11.6.0 -    |13.0.0        |          |Linux kernel - Control |
|BIG-IP ASM    |11.6.1      |11.5.5        |High      |Plane (Management IPv6 |
|              |11.4.1 -    |              |          |addresses)             |
|              |11.5.4      |              |          |                       |
|              |11.2.1      |              |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |            |13.0.0        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.5      |12.1.2        |High      |Plane (TMM IPv6        |
|              |11.2.1      |11.6.0 -      |          |addresses)             |
|              |            |11.6.1        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |              |          |Linux kernel - Control |
|              |12.1.2      |13.0.0        |High      |Plane (Management IPv6 |
|              |            |              |          |addresses)             |
|BIG-IP DNS    +------------+--------------+----------+-----------------------+
|              |            |13.0.0        |Not       |                       |
|              |None        |12.0.0 -      |Vulnerable|None                   |
|              |            |12.1.2        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |            |              |          |Linux kernel - Control |
|              |11.2.1      |None          |High      |Plane (Management IPv6 |
|BIG-IP Edge   |            |              |          |addresses)             |
|Gateway       +------------+--------------+----------+-----------------------+
|              |            |              |          |Linux kernel - Data    |
|              |11.2.1      |None          |High      |Plane (TMM IPv6        |
|              |            |              |          |addresses)             |
+--------------+------------+--------------+----------+-----------------------+
|              |11.6.0 -    |              |          |                       |
|              |11.6.1      |              |          |Linux kernel - Control |
|              |11.4.1 -    |11.5.5        |High      |Plane (Management IPv6 |
|              |11.5.4      |              |          |addresses)             |
|BIG-IP GTM    |11.2.1      |              |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |11.4.1 -    |11.6.0 -      |          |Linux kernel - Data    |
|              |11.5.5      |11.6.1        |High      |Plane (TMM IPv6        |
|              |11.2.1      |              |          |addresses)             |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |              |          |                       |
|              |12.1.2      |              |          |                       |
|              |11.6.0 -    |13.0.0        |          |Linux kernel - Control |
|              |11.6.1      |11.5.5        |High      |Plane (Management IPv6 |
|              |11.4.1 -    |              |          |addresses)             |
|BIG-IP Link   |11.5.4      |              |          |                       |
|Controller    |11.2.1      |              |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |            |13.0.0        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.5      |12.1.2        |High      |Plane (TMM IPv6        |
|              |11.2.1      |11.6.0 -      |          |addresses)             |
|              |            |11.6.1        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |              |          |                       |
|              |12.1.2      |              |          |Linux kernel - Control |
|              |11.6.0 -    |13.0.0        |High      |Plane (Management IPv6 |
|              |11.6.1      |11.5.5        |          |addresses)             |
|              |11.4.0 -    |              |          |                       |
|BIG-IP PEM    |11.5.4      |              |          |                       |
|              +------------+--------------+----------+-----------------------+
|              |            |13.0.0        |          |                       |
|              |11.4.1 -    |12.0.0 -      |          |Linux kernel - Data    |
|              |11.5.5      |12.1.2        |High      |Plane (TMM IPv6        |
|              |            |11.6.0 -      |          |addresses)             |
|              |            |11.6.1        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|              |            |              |          |Linux kernel - Control |
|              |11.4.1      |None          |High      |Plane (Management IPv6 |
|              |            |              |          |addresses)             |
|BIG-IP PSM    +------------+--------------+----------+-----------------------+
|              |            |              |          |Linux kernel - Data    |
|              |11.4.1      |None          |High      |Plane (TMM IPv6        |
|              |            |              |          |addresses)             |
+--------------+------------+--------------+----------+-----------------------+
|              |            |              |          |Linux kernel - Control |
|              |11.2.1      |None          |High      |Plane (Management IPv6 |
|BIG-IP        |            |              |          |addresses)             |
|WebAccelerator+------------+--------------+----------+-----------------------+
|              |            |              |          |Linux kernel - Data    |
|              |11.2.1      |None          |High      |Plane (TMM IPv6        |
|              |            |              |          |addresses)             |
+--------------+------------+--------------+----------+-----------------------+
|              |12.0.0 -    |              |          |Linux kernel - Control |
|              |12.1.2      |13.0.0        |High      |Plane (Management IPv6 |
|              |11.6.0 -    |              |          |addresses)             |
|              |11.6.1      |              |          |                       |
|BIG-IP WebSafe+------------+--------------+----------+-----------------------+
|              |            |13.0.0        |          |                       |
|              |None        |12.0.0 -      |Not       |                       |
|              |            |12.1.2        |vulnerable|None                   |
|              |            |11.6.0 -      |          |                       |
|              |            |11.6.1        |          |                       |
+--------------+------------+--------------+----------+-----------------------+
|ARX           |None        |6.4.0         |Not       |None                   |
|              |            |              |vulnerable|                       |
+--------------+------------+--------------+----------+-----------------------+
|Enterprise    |            |              |          |Linux kernel -         |
|Manager       |3.1.1       |None          |High      |Management IPv6        |
|              |            |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|              |4.4.0 -     |              |          |Linux kernel -         |
|BIG-IQ Cloud  |4.5.0       |None          |High      |Management IPv6        |
|              |None        |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|              |4.4.0 -     |              |          |Linux kernel -         |
|BIG-IQ Device |4.5.0       |None          |High      |Management IPv6        |
|              |None        |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|BIG-IQ        |4.4.0 -     |              |          |Linux kernel -         |
|Security      |4.5.0       |None          |High      |Management IPv6        |
|              |None        |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|              |4.5.0       |              |          |Linux kernel -         |
|BIG-IQ ADC    |None        |None          |High      |Management IPv6        |
|              |            |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|BIG-IQ        |5.0.0 -     |              |          |Linux kernel -         |
|Centralized   |5.2.0       |None          |High      |Management IPv6        |
|Management    |4.6.0       |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|BIG-IQ Cloud  |            |              |          |Linux kernel -         |
|and           |1.0.0       |None          |High      |Management IPv6        |
|Orchestration |            |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|              |2.0.0 -     |              |          |Linux kernel -         |
|F5 iWorkflow  |2.2.0       |None          |High      |Management IPv6        |
|              |            |              |          |addresses              |
+--------------+------------+--------------+----------+-----------------------+
|LineRate      |None        |2.5.0 - 2.6.2 |Not       |None                   |
|              |            |              |vulnerable|                       |
+--------------+------------+--------------+----------+-----------------------+
|Traffix SDC   |5.0.0       |5.1.0         |Medium    |Linux kernel           |
|              |4.4.0       |              |          |                       |
+--------------+------------+--------------+----------+-----------------------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.

To determine the necessary upgrade path for your BIG-IQ system, you should
understand the BIG-IQ product offering name changes. For more information,
refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems
.

Mitigation

None

Supplemental Information

  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K167: Downloading software and firmware from F5

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWfF0h4x+lLeg9Ub1AQgG9BAAgfJlAcvnSH1APVhDE0hVtysuEw586awg
dsWfF2SoCoKyjv8I6RggftxjD5U0ga/t1dc5yLbLKBbWiKLQqhZXQNRIuLCD7QYo
ZD+1I7Y6xH4eFO1RQ40i2zYq2CDKk6w+F7sNiWjV4QWelURHK98XNTOweNZ32t3F
p+wzSbLW5caR1mbBrDUjlyFUKd07duDAhogc08KNPWqQGTvhIGdgxQUPhPnnl37i
wdrTV2rzjTmgrEgMXprqmRtejJN4UfPXtHgntgrK1QQPxSWM2xEQcxHW5o5AFU0S
fBerzQZEcMc+hLbJXiDBlV1clTTy+59TK5FbRZGb8KFXK4vIMAGuTnfvAu64l5dw
5rmW0fpTAsv0A30sPa4DoJ1D+Wg9HM7QBW69Wwu4f7F0VE1doD98UInYo5hR4Xve
bne/WXl+pN9gA2Mzgmyt/SCXIupTjlwHTnMMCCGUuM0mqmFkn4XKf6ii9wm/CLBq
+PNRFyxZhpwUfvNxtf+0W7gXmq/jshPCdLnLfTXnRorORzdAz6r58oRMOjFyLTll
b+gqGrangWJ0PQ2fmH2+709fGZ7/LL/LeOWfGL4oC3qZG0I9G4BlT4x/mmbvSA0f
9asTa8x/B156vlezaN7SXsnSqqRqh/iEzPpmHrO1YiZvaY/VUUjAeE8QFPBWQjzo
UsdOvD5Z5So=
=j+BJ
-----END PGP SIGNATURE-----

« Back to bulletins