ESB-2018.0025.2 - UPDATE [Appliance] F5 BIG-IP Products: Access privileged data - Remote/unauthenticated - 2018-08-14


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.0025.2
              K13167034: OpenSSL vulnerability CVE-2016-2183
                              14 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP Products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-2183  

Reference:         ASB-2017.0219
                   ASB-2017.0208
                   ASB-2017.0169
                   ESB-2016.2263
                   ESB-2016.2239.2
                   ESB-2016.2238

Original Bulletin: 
   https://support.f5.com/csp/article/K13167034

Revision History:  August  14 2018: Updated security advisory status table. 
                   January  2 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K13167034:OpenSSL vulnerability CVE-2016-2183

Security Advisory

Original Publication Date: 05 Oct, 2016

Latest   Publication Date: 14 Aug, 2018

Security Advisory Description

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols
and other protocols and products, have a birthday bound of approximately four
billion blocks, which makes it easier for remote attackers to obtain cleartext
data via a birthday attack against a long-duration encrypted session, as
demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32"
attack. (CVE-2016-2183)

Impact

Remote attackers may be able to obtain cleartext data using a birthday attack
against long-duration encrypted sessions.


Security Advisory Status

F5 Product Development has assigned IDs 615267, 615271, 615270, 615269,
615268, and 615274 (BIG-IP), ID 410742 (ARX), ID 616861 (BIG-IQ and F5
iWorkflow), ID 616862 (Enterprise Manager), ID 528809 (FirePass), and
LRS-60936 (LineRate) to this vulnerability. Additionally, BIG-IP iHealth may
list Heuristic H13167034, H13167034-1, H13167034-2, and H13167034-3 on the
Diagnostics > Identified > Medium page.

To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table.

+---------------+---------------+-----------------+----------+---------------+
|               |Versions known |Versions known to|          |Vulnerable     |
|Product        |to be          |be not vulnerable|Severity  |component or   |
|               |vulnerable     |                 |          |feature        |
+---------------+---------------+-----------------+----------+---------------+
|               |13.0.0         |13.1.0           |          |               |
|               |12.0.0 - 12.1.2|13.0.0 HF1 -     |          |SSL profiles   |
|               |11.4.0 - 11.6.3|13.0.1           |Medium    |(client/server)|
|               |11.2.1         |12.1.3           |          |               |
|               |10.2.1 - 10.2.4|12.1.2 HF1       |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|None             |Medium    |IPSec          |
|               |11.4.0 - 11.6.3|                 |          |               |
|               |11.2.1         |                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|                 |          |               |
|BIG-IP LTM     |11.4.0 - 11.6.3|None             |Medium    |tamd           |
|               |11.2.1         |                 |          |               |
|               |10.2.4         |                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|                 |          |               |
|               |11.4.0 - 11.6.3|14.0.0           |Medium    |Apache mod_ssl |
|               |11.2.1         |                 |          |               |
|               |10.2.4         |                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.0.1|                 |          |               |
|               |12.0.0 - 12.1.3|                 |          |               |
|               |11.4.0 - 11.6.3|13.1.0           |Medium    |Big3d          |
|               |11.2.1         |                 |          |               |
|               |10.2.1 - 10.2.4|                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |               |13.1.0           |          |               |
|               |13.0.0         |13.0.0 HF1 -     |          |SSL profiles   |
|               |12.0.0 - 12.1.2|13.0.1           |Medium    |(client/server)|
|               |11.4.0 - 11.6.3|12.1.3           |          |               |
|               |               |12.1.2 HF1       |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|None             |Medium    |IPSec          |
|               |11.4.0 - 11.6.3|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|BIG-IP AAM     |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|None             |Medium    |tamd           |
|               |11.4.0 - 11.6.3|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|14.0.0           |Medium    |Apache mod_ssl |
|               |11.4.0 - 11.6.3|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.0.1|                 |          |               |
|               |12.0.0 - 12.1.3|13.1.0           |Medium    |Big3d          |
|               |11.4.0 - 11.6.3|                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |12.1.0 - 12.1.3|13.0.0 - 13.1.0  |Medium    |SSH Proxy      |
|               |               |12.1.3.4         |          |               |
|               +---------------+-----------------+----------+---------------+
|               |               |13.1.0           |          |               |
|               |13.0.0         |13.0.0 HF1 -     |          |SSL profiles   |
|               |12.0.0 - 12.1.2|13.0.1           |Medium    |(client/server)|
|               |11.4.0 - 11.6.3|12.1.3           |          |               |
|               |               |12.1.2 HF1       |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|None             |Medium    |IPSec          |
|BIG-IP AFM     |11.4.0 - 11.6.3|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|None             |Medium    |tamd           |
|               |11.4.0 - 11.6.3|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|14.0.0           |Medium    |Apache mod_ssl |
|               |11.4.0 - 11.6.3|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.0.1|                 |          |               |
|               |12.0.0 - 12.1.3|13.1.0           |Medium    |Big3d          |
|               |11.4.0 - 11.6.3|                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |13.0.0         |13.1.0           |          |               |
|               |12.0.0 - 12.1.2|13.0.0 HF1 -     |          |SSL profiles   |
|               |11.4.0 - 11.6.3|13.0.1           |Medium    |(client/server)|
|               |11.2.1         |12.1.3           |          |               |
|               |               |12.1.2 HF1       |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|None             |Medium    |IPSec          |
|               |11.4.0 - 11.6.3|                 |          |               |
|               |11.2.1         |                 |          |               |
|               +---------------+-----------------+----------+---------------+
|BIG-IP         |13.0.0 - 13.1.0|                 |          |               |
|Analytics      |12.0.0 - 12.1.3|None             |Medium    |tamd           |
|               |11.4.0 - 11.6.3|                 |          |               |
|               |11.2.1         |                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|14.0.0           |Medium    |Apache mod_ssl |
|               |11.4.0 - 11.6.3|                 |          |               |
|               |11.2.1         |                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.0.1|                 |          |               |
|               |12.0.0 - 12.1.3|13.1.0           |Medium    |Big3d          |
|               |11.4.0 - 11.6.3|                 |          |               |
|               |11.2.1         |                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|                 |          |Oracle Access  |
|               |11.4.0 - 11.6.3|None             |Medium    |Manager        |
|               |11.2.1         |                 |          |               |
|               |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0         |13.1.0           |          |               |
|               |12.0.0 - 12.1.2|13.0.0 HF1 -     |          |SSL profiles   |
|               |11.4.0 - 11.6.3|13.0.1           |Medium    |(client/server)|
|               |11.2.1         |12.1.3           |          |               |
|               |10.2.1 - 10.2.4|12.1.2 HF1       |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|None             |Medium    |IPSec          |
|               |11.4.0 - 11.6.3|                 |          |               |
|               |11.2.1         |                 |          |               |
|BIG-IP APM     +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|                 |          |               |
|               |11.4.0 - 11.6.3|None             |Medium    |tamd           |
|               |11.2.1         |                 |          |               |
|               |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|                 |          |               |
|               |11.4.0 - 11.6.3|14.0.0           |Medium    |Apache mod_ssl |
|               |11.2.1         |                 |          |               |
|               |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.0.1|                 |          |               |
|               |12.0.0 - 12.1.3|                 |          |               |
|               |11.4.0 - 11.6.3|13.1.0           |Medium    |Big3d          |
|               |11.2.1         |                 |          |               |
|               |10.2.1 - 10.2.4|                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |13.0.0         |13.1.0           |          |               |
|               |12.0.0 - 12.1.2|13.0.0 HF1 -     |          |SSL profiles   |
|               |11.4.0 - 11.6.3|13.0.1           |Medium    |(client/server)|
|               |11.2.1         |12.1.3           |          |               |
|               |10.2.1 - 10.2.4|12.1.2 HF1       |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|None             |Medium    |IPSec          |
|               |11.4.0 - 11.6.3|                 |          |               |
|               |11.2.1         |                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|                 |          |               |
|BIG-IP ASM     |11.4.0 - 11.6.3|None             |Medium    |tamd           |
|               |11.2.1         |                 |          |               |
|               |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|                 |          |               |
|               |11.4.0 - 11.6.3|14.0.0           |Medium    |Apache mod_ssl |
|               |11.2.1         |                 |          |               |
|               |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.0.1|                 |          |               |
|               |12.0.0 - 12.1.3|                 |          |               |
|               |11.4.0 - 11.6.3|13.1.0           |Medium    |Big3d          |
|               |11.2.1         |                 |          |               |
|               |10.2.1 - 10.2.4|                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|None             |Medium    |tamd           |
|               |12.0.0 - 12.1.3|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|BIG-IP DNS     |13.0.0 - 13.1.0|14.0.0           |Medium    |Apache mod_ssl |
|               |12.0.0 - 12.1.3|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.0.1|13.1.0           |Medium    |Big3d          |
|               |12.0.0 - 12.1.3|                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |11.2.1         |None             |Medium    |SSL profiles   |
|               |10.2.1 - 10.2.4|                 |          |(client/server)|
|               +---------------+-----------------+----------+---------------+
|               |11.2.1         |None             |Medium    |IPSec          |
|               +---------------+-----------------+----------+---------------+
|BIG-IP Edge    |11.2.1         |None             |Medium    |tamd           |
|Gateway        |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |11.2.1         |None             |Medium    |Apache mod_ssl |
|               |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |11.2.1         |None             |Medium    |Big3d          |
|               |10.2.1 - 10.2.4|                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |11.4.0 - 11.6.3|                 |          |               |
|               |11.2.1         |None             |Medium    |tamd           |
|               |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |11.4.0 - 11.6.3|                 |          |               |
|BIG-IP GTM     |11.2.1         |None             |Medium    |Apache mod_ssl |
|               |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |11.4.0 - 11.6.3|                 |          |               |
|               |11.2.1         |None             |Medium    |Big3d          |
|               |10.2.1 - 10.2.4|                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|None             |Medium    |IPSec          |
|               |11.4.0 - 11.6.3|                 |          |               |
|               |11.2.1         |                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|                 |          |               |
|               |11.4.0 - 11.6.3|None             |Medium    |tamd           |
|               |11.2.1         |                 |          |               |
|               |10.2.1 - 10.2.4|                 |          |               |
|BIG-IP Link    +---------------+-----------------+----------+---------------+
|Controller     |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|                 |          |               |
|               |11.4.0 - 11.6.3|14.0.0           |Medium    |Apache mod_ssl |
|               |11.2.1         |                 |          |               |
|               |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.0.1|                 |          |               |
|               |12.0.0 - 12.1.3|                 |          |               |
|               |11.4.0 - 11.6.3|13.1.0           |Medium    |Big3d          |
|               |11.2.1         |                 |          |               |
|               |10.2.1 - 10.2.4|                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |               |13.1.0           |          |               |
|               |13.0.0         |13.0.0 HF1 -     |          |SSL profiles   |
|               |12.0.0 - 12.1.2|13.0.1           |Medium    |(client/server)|
|               |11.4.0 - 11.6.3|12.1.3           |          |               |
|               |               |12.1.2 HF1       |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|None             |Medium    |IPSec          |
|               |11.4.0 - 11.6.3|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|BIG-IP PEM     |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|None             |Medium    |tamd           |
|               |11.4.0 - 11.6.3|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.1.0|                 |          |               |
|               |12.0.0 - 12.1.3|14.0.0           |Medium    |Apache mod_ssl |
|               |11.4.0 - 11.6.3|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |13.0.0 - 13.0.1|                 |          |               |
|               |12.0.0 - 12.1.3|13.1.0           |Medium    |Big3d          |
|               |11.4.0 - 11.6.3|                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |11.4.0 - 11.4.1|None             |Medium    |SSL profiles   |
|               |10.2.1 - 10.2.4|                 |          |(client/server)|
|               +---------------+-----------------+----------+---------------+
|               |11.4.0 - 11.4.1|None             |Medium    |IPSec          |
|               +---------------+-----------------+----------+---------------+
|               |11.4.0 - 11.4.1|None             |Medium    |tamd           |
|BIG-IP PSM     |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |11.4.0 - 11.4.1|None             |Medium    |Apache mod_ssl |
|               |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |11.4.0 - 11.4.1|None             |Medium    |Big3d          |
|               |10.2.1 - 10.2.4|                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |11.2.1         |None             |Medium    |SSL profiles   |
|               |10.2.1 - 10.2.4|                 |          |(client/server)|
|               +---------------+-----------------+----------+---------------+
|               |11.2.1         |None             |Medium    |IPSec          |
|               +---------------+-----------------+----------+---------------+
|BIG-IP         |11.2.1         |None             |Medium    |tamd           |
|WebAccelerator |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |11.2.1         |None             |Medium    |Apache mod_ssl |
|               |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |11.2.1         |None             |Medium    |Big3d          |
|               |10.2.1 - 10.2.4|                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |11.2.1         |None             |Medium    |SSL profiles   |
|               |10.2.1 - 10.2.4|                 |          |(client/server)|
|               +---------------+-----------------+----------+---------------+
|               |11.2.1         |None             |Medium    |IPSec          |
|               +---------------+-----------------+----------+---------------+
|               |11.2.1         |None             |Medium    |tamd           |
|BIG-IP WOM     |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |11.2.1         |None             |Medium    |Apache mod_ssl |
|               |10.2.1 - 10.2.4|                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |11.2.1         |None             |Medium    |Big3d          |
|               |10.2.1 - 10.2.4|                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|               |               |13.0.0 - 13.1.0  |Not       |               |
|BIG-IP WebSafe |None           |12.0.0 - 12.1.3  |vulnerable|None           |
|               |               |11.6.0 - 11.6.3  |          |               |
+---------------+---------------+-----------------+----------+---------------+
|ARX            |6.2.0 - 6.4.0  |None             |Low       |OpenSSL        |
+---------------+---------------+-----------------+----------+---------------+
|Enterprise     |               |                 |          |Apache         |
|Manager        |3.1.1          |None             |Medium    |OpenSSH        |
|               |               |                 |          |Big3d          |
+---------------+---------------+-----------------+----------+---------------+
|FirePass       |7.0.0          |None             |Low       |OpenSSL        |
+---------------+---------------+-----------------+----------+---------------+
|               |               |                 |          |Webd           |
|BIG-IQ Cloud   |4.0.0 - 4.5.0  |None             |Medium    |OpenSSH        |
|               |               |                 |          |Big3d          |
+---------------+---------------+-----------------+----------+---------------+
|               |               |                 |          |Webd           |
|BIG-IQ Device  |4.2.0 - 4.5.0  |None             |Medium    |OpenSSH        |
|               |               |                 |          |Big3d          |
+---------------+---------------+-----------------+----------+---------------+
|               |               |                 |          |Webd           |
|BIG-IQ Security|4.0.0 - 4.5.0  |None             |Medium    |OpenSSH        |
|               |               |                 |          |Big3d          |
+---------------+---------------+-----------------+----------+---------------+
|               |               |                 |          |Webd           |
|BIG-IQ ADC     |4.5.0          |None             |Medium    |OpenSSH        |
|               |               |                 |          |Big3d          |
+---------------+---------------+-----------------+----------+---------------+
|               |5.0.0 - 5.4.0  |None             |Medium    |Webd           |
|               |4.6.0          |                 |          |               |
|BIG-IQ         +---------------+-----------------+----------+---------------+
|Centralized    |5.0.0 - 5.4.0  |None             |Medium    |OpenSSH        |
|Management     |4.6.0          |                 |          |               |
|               +---------------+-----------------+----------+---------------+
|               |5.0.0 - 5.1.0  |5.2.0 - 5.4.0    |Medium    |Big3d          |
|               |4.6.0          |                 |          |               |
+---------------+---------------+-----------------+----------+---------------+
|BIG-IQ Cloud   |               |                 |          |Webd           |
|and            |1.0.0          |None             |Medium    |OpenSSH        |
|Orchestration  |               |                 |          |Big3d          |
+---------------+---------------+-----------------+----------+---------------+
|               |               |                 |          |Apache         |
|F5 iWorkflow   |2.0.0 - 2.3.0  |None             |Medium    |OpenSSH        |
|               |               |                 |          |Big3d          |
+---------------+---------------+-----------------+----------+---------------+
|LineRate       |2.5.0 - 2.6.1  |None             |Low       |SSL/TLS        |
+---------------+---------------+-----------------+----------+---------------+
|Traffix SDC    |5.0.0          |None             |Low       |OpenSSL        |
|               |4.0.0 - 4.4.0  |                 |          |               |
+---------------+---------------+-----------------+----------+---------------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.

To determine the necessary upgrade path for your BIG-IQ system, you should
understand the BIG-IQ product offering name changes. For more information,
refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow
systems.

Mitigation

The following mitigation options are available for the BIG-IP system:

SSL profiles

You can mitigate this issue for the SSL profiles by disabling 3DES (DES-CBC3)
ciphers for the affected profile. For information about configuring the cipher
strength for the SSL profiles, refer to K17370: Configuring the cipher
strength for SSL profiles (12.x - 13.x).

Important: The following mitigation will not work for BIG-IP 13.0.0 due to an
issue being tracked by F5 Product Development as ID 649369. For assistance
mitigating this issue for BIG-IP 13.0.0 please contact F5 Technical Support
and reference this article and ID 649369.

You can disable 3DES in SSL profile ciphers by adding !3DES or -3DES to the
current cipher string in the Ciphers field.

Note: When you use the ! symbol preceding a cipher, the SSL profile
permanently removes the cipher from the cipher list, even if the cipher is
explicitly stated later in the cipher string. When you use the - symbol
preceding a cipher, the SSL profile removes the cipher from the cipher list,
but the cipher can be added back to the cipher list if there are later options
that allow it.

For example, if the current cipher string is DEFAULT, the updated cipher
string becomes DEFAULT:!3DES.

Some TLS rating sites treat the ability to negotiate 3DES with TLS 1.2
differently than they treat 3DES availability with TLS 1.0 or TLS 1.1. The
rationale behind this logic is that legacy clients are not expected to
negotiate TLS 1.2 and thus there is no reason for a TLS server to offer 3DES
with TLS 1.2. If you want to enable 3DES with TLS 1.0 and TLS 1.1 only, but
not TLS 1.2, you can use the following cipher string:

- -3DES:TLSv1_1+3DES:TLSv1+3DES.

For example, if the current cipher string is DEFAULT, the updated cipher
string becomes DEFAULT:-3DES:TLSv1_1+3DES:TLSv1+3DES.

Beginning in 12.1.2 HF1 the BIG-IP system implements the TLS session data
limit for 3DES that makes the use of 3DES secure on the BIG-IP system in
reference to the SWEET32 attack. Unfortunately, SSL rating sites cannot easily
detect the presence of this fix. Auditing this fix requires sending of over 1
GB of data in a single TLS session.

For earlier versions of BIG-IP systems without the data limit fix, you should
take the following alternative steps when 3DES is enabled. Note that you do
not need to take the following steps if only modern block ciphers are enabled,
such as AES or CAMELIA.

Alternatively, if disabling 3DES ciphers is not possible and you are running a
version earlier than 12.1.2 HF1, you can modify the SSL profile and set the
Renegotiation Size setting to 1 GB. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a
negative impact on your system.

 1. Log in to the TMOS Shell (tmsh) by typing the following command:

    tmsh

 2. Change the renegotiation size to 1 GB for the profile using the following
    command syntax:

    modify  /ltm profile client-ssl <profile_name> renegotiate-size 1000

    For example, the following command changes the renegotiation size to 1 GB
    for the SSL profile named MyClientSSL:

    modify  /ltm profile client-ssl MyClientSSL renegotiate-size 1000

 3. Save the changes by typing the following command:

    save /sys config

Authentication profiles (tamd)

To mitigate this issue, disable 3DES on the server side to prevent negotiation
of the vulnerable cipher.

Configuration utility

To mitigate this vulnerability for the Configuration utility, you should
permit management access to F5 products only over a secure network. For more
information, refer to K13092: Overview of securing access to the BIG-IP system
.

BIG-IP APM - Oracle Access Manager

To mitigate this vulnerability for Oracle Access Manager (OAM), you should
monitor traffic patterns between the BIG-IP system and back-end OAM systems
for traffic anomalies, or force rekeying on an appropriate interval on their
application server.

IPsec

To mitigate this vulnerability for IPsec, in your IPsec policy, you should use
AES ciphers, or if you cannot use AES ciphers, configure the KBLifetime
to 1048576 KB (1 GB) or less.

BIG-IQ

To mitigate this vulnerability for the big3d component of BIG-IQ, perform the
following procedure:

Impact of procedure: BIG-IQ does not use the big3d component and F5 product
development has removed it starting in BIG-IQ 5.2.0. Performing the following
procedure should not have a negative impact on your system.

 1. Log in to tmsh by typing the following command:

    tmsh

 2. Disable the big3d component which will stop the service and prevent it
    from starting on subsequent reboots by typing the following command:

    modify /sys service big3d disable


Supplemental Information

  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K167: Downloading software and firmware from F5
  o K13123: Managing BIG-IP product hotfixes (11.x - 13.x)
  o K9502: BIG-IP hotfix and point release matrix
  o K15106: Managing BIG-IQ product hotfixes
  o K15113: BIG-IQ hotfix matrix
  o K10322: FirePass hotfix matrix
  o K12766: ARX hotfix matrix

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW3IenWaOgq3Tt24GAQgPRg//dqZRaxmX5LaIlonOv+TaVtiyO1EGXl7W
1/oGutfg6PUFSIlKgRHDwsAG0BmcQt/iBz/efmYkOcG/1My52Vzc+fjJYf2ami7W
XCaK7bagXga8RLIUAdfcbgMvB06FA6QDolP7OFZiPugdlyIPHmXLR/4UspstvIse
NWsvMrv6dbt+UwWQZo0t2SL+vhEnnBwbXV5G/YElOy6w4kzveRJUuZioXElkehv1
A+WBk2n4KECXvlbg/vYfNp71ErW8zJLCFnrcwQShvaAsWOHCEVLKkHKWmGw2MXOk
/+v80ifm0Zs74Jf9/t4U5nCqBl5/3mhsODC/bYSvNLBIAkhl73HjiFvXymnN/s3i
6BBSR9A82Jhobt3C6FVIm7NQ2jskqNkChgUBK81hvK3bRNBHPLWRg8bDmnjF8RXE
li9gM2EMa1L2YzuHfPS1EaU3Q9PXEd3JwwM5ye32ZKPMeAIrqtjzrVF4j3cjq0l5
pI82HA3FLXw0GS3puRiB+eDhqoXAvyBQ/PLTShWckgwtIEcko0S/+Hb64agdsZ53
yJZetADR4BVBqmWZ1SMybWDYATK+dq8KN3l36MeK5AFFTcUNJEm17ZbBH3ghswGK
K/1G3LhXpvkLoenofbDuszTwBDYtfisEm1goI/G3Y0KEGuFxElcgFiNxuuUUoJr8
C8KX4pTNvGQ=
=i3a0
-----END PGP SIGNATURE-----