ESB-2018.0025 - [Appliance] F5 BIG-IP Products: Access privileged data - Remote/unauthenticated - 2018-01-02


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0025
              K13167034: OpenSSL vulnerability CVE-2016-2183
                              2 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP Products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-2183  

Reference:         ASB-2017.0219
                   ASB-2017.0208
                   ASB-2017.0169
                   ESB-2016.2263
                   ESB-2016.2239.2
                   ESB-2016.2238

Original Bulletin: 
   https://support.f5.com/csp/article/K13167034

- --------------------------BEGIN INCLUDED TEXT--------------------

K13167034: OpenSSL vulnerability CVE-2016-2183

Security Advisory

Original Publication Date: Oct 05, 2016
Updated Date: Dec 27, 2017

Security Advisory Description

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols
and other protocols and products, have a birthday bound of approximately four
billion blocks, which makes it easier for remote attackers to obtain cleartext
data via a birthday attack against a long-duration encrypted session, as
demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32"
attack. (CVE-2016-2183)

Impact

Remote attackers may be able to obtain cleartext data using a birthday attack
against long-duration encrypted sessions.

Security Advisory Status

F5 Product Development has assigned IDs 615267, 615271, 615270, 615269, 615268,
and 615274 (BIG-IP), ID 410742 (ARX), ID 616861 (BIG-IQ and F5 iWorkflow), ID
616862 (Enterprise Manager), ID 528809 (FirePass), and LRS-60936 (LineRate) to
this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H13167034,
H13167034-1, H13167034-2, and H13167034-3 on the Diagnostics > Identified >
Medium screen.

To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:

+---------------+----------------+-----------------+----------+----------------+
|               |Versions known  |Versions known to|          |Vulnerable      |
|Product        |to be vulnerable|be not vulnerable|Severity  |component or    |
|               |                |                 |          |feature         |
+---------------+----------------+-----------------+----------+----------------+
|               |13.0.0          |13.1.0           |          |                |
|               |12.0.0 - 12.1.2 |13.0.0 HF1       |          |SSL profiles    |
|               |11.4.0 - 11.6.2 |12.1.3           |Medium    |(client/server) |
|               |11.2.1          |12.1.2 HF1       |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |IPSec           |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               |11.2.1          |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |                 |          |                |
|BIG-IP LTM     |11.4.0 - 11.6.2 |None             |Medium    |tamd            |
|               |11.2.1          |                 |          |                |
|               |10.2.4          |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |                 |          |                |
|               |11.4.0 - 11.6.2 |None             |Medium    |Apache mod_ssl  |
|               |11.2.1          |                 |          |                |
|               |10.2.4          |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0          |                 |          |                |
|               |12.0.0 - 12.1.3 |                 |          |                |
|               |11.4.0 - 11.6.2 |13.1.0           |Medium    |Big3d           |
|               |11.2.1          |                 |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |13.0.0          |13.1.0           |          |                |
|               |12.0.0 - 12.1.2 |13.0.0 HF1       |Medium    |SSL profiles    |
|               |11.4.0 - 11.6.2 |12.1.3           |          |(client/server) |
|               |                |12.1.2 HF1       |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |IPSec           |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|BIG-IP AAM     |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |tamd            |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |Apache mod_ssl  |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0          |                 |          |                |
|               |12.0.0 - 12.1.3 |13.1.0           |Medium    |Big3d           |
|               |11.4.0 - 11.6.2 |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |12.1.0 - 12.1.3 |13.0.0 - 13.1.0  |Medium    |SSH Proxy       |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0          |13.1.0           |          |                |
|               |12.0.0 - 12.1.2 |13.0.0 HF1       |Medium    |SSL profiles    |
|               |11.4.0 - 11.6.2 |12.1.3           |          |(client/server) |
|               |                |12.1.2 HF1       |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |IPSec           |
|               |11.4.0 - 11.6.2 |                 |          |                |
|BIG-IP AFM     +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |tamd            |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |Apache mod_ssl  |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0          |                 |          |                |
|               |12.0.0 - 12.1.3 |13.1.0           |Medium    |Big3d           |
|               |11.4.0 - 11.6.2 |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |13.0.0          |13.1.0           |          |                |
|               |12.0.0 - 12.1.2 |13.0.0 HF1       |Medium    |SSL profiles    |
|               |11.4.0 - 11.6.2 |12.1.3           |          |(client/server) |
|               |11.2.1          |12.1.2 HF1       |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |IPSec           |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               |11.2.1          |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|BIG-IP         |12.0.0 - 12.1.3 |None             |Medium    |tamd            |
|Analytics      |11.4.0 - 11.6.2 |                 |          |                |
|               |11.2.1          |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |Apache mod_ssl  |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               |11.2.1          |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0          |                 |          |                |
|               |12.0.0 - 12.1.3 |13.1.0           |Medium    |Big3d           |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               |11.2.1          |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |                 |          |Oracle Access   |
|               |11.4.0 - 11.6.2 |None             |Medium    |Manager         |
|               |11.2.1          |                 |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0          |13.1.0           |          |                |
|               |12.0.0 - 12.1.2 |13.0.0 HF1       |          |SSL profiles    |
|               |11.4.0 - 11.6.2 |12.1.3           |Medium    |(client/server) |
|               |11.2.1          |12.1.2 HF1       |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |IPSec           |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               |11.2.1          |                 |          |                |
|BIG-IP APM     +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |                 |          |                |
|               |11.4.0 - 11.6.2 |None             |Medium    |tamd            |
|               |11.2.1          |                 |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |                 |          |                |
|               |11.4.0 - 11.6.2 |None             |Medium    |Apache mod_ssl  |
|               |11.2.1          |                 |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0          |                 |          |                |
|               |12.0.0 - 12.1.3 |                 |          |                |
|               |11.4.0 - 11.6.2 |13.1.0           |Medium    |Big3d           |
|               |11.2.1          |                 |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |13.0.0          |13.1.0           |          |                |
|               |12.0.0 - 12.1.2 |13.0.0 HF1       |          |SSL profiles    |
|               |11.4.0 - 11.6.2 |12.1.3           |Medium    |(client/server) |
|               |11.2.1          |12.1.2 HF1       |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |IPSec           |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               |11.2.1          |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |                 |          |                |
|BIG-IP ASM     |11.4.0 - 11.6.2 |None             |Medium    |tamd            |
|               |11.2.1          |                 |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |                 |          |                |
|               |11.4.0 - 11.6.2 |None             |Medium    |Apache mod_ssl  |
|               |11.2.1          |                 |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0          |                 |          |                |
|               |12.0.0 - 12.1.3 |                 |          |                |
|               |11.4.0 - 11.6.2 |13.1.0           |Medium    |Big3d           |
|               |11.2.1          |                 |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |None             |Medium    |tamd            |
|               |12.0.0 - 12.1.3 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|BIG-IP DNS     |13.0.0 - 13.1.0 |None             |Medium    |Apache mod_ssl  |
|               |12.0.0 - 12.1.3 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0          |13.1.0           |Medium    |Big3d           |
|               |12.0.0 - 12.1.3 |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |11.2.1          |None             |Medium    |SSL profiles    |
|               |10.2.1 - 10.2.4 |                 |          |(client/server) |
|               +----------------+-----------------+----------+----------------+
|               |11.2.1          |None             |Medium    |IPSec           |
|               +----------------+-----------------+----------+----------------+
|BIG-IP Edge    |11.2.1          |None             |Medium    |tamd            |
|Gateway        |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |11.2.1          |None             |Medium    |Apache mod_ssl  |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |11.2.1          |None             |Medium    |Big3d           |
|               |10.2.1 - 10.2.4 |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |11.4.0 - 11.6.2 |                 |          |                |
|               |11.2.1          |None             |Medium    |tamd            |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |11.4.0 - 11.6.2 |                 |          |                |
|BIG-IP GTM     |11.2.1          |None             |Medium    |Apache mod_ssl  |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |11.4.0 - 11.6.2 |                 |          |                |
|               |11.2.1          |None             |Medium    |Big3d           |
|               |10.2.1 - 10.2.4 |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |IPSec           |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               |11.2.1          |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |                 |          |                |
|               |11.4.0 - 11.6.2 |None             |Medium    |tamd            |
|               |11.2.1          |                 |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
|BIG-IP Link    +----------------+-----------------+----------+----------------+
|Controller     |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |                 |          |                |
|               |11.4.0 - 11.6.2 |None             |Medium    |Apache mod_ssl  |
|               |11.2.1          |                 |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0          |                 |          |                |
|               |12.0.0 - 12.1.3 |                 |          |                |
|               |11.4.0 - 11.6.2 |13.1.0           |Medium    |Big3d           |
|               |11.2.1          |                 |          |                |
|               |10.2.1 - 10.2.4 |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |13.0.0          |13.1.0           |          |                |
|               |12.0.0 - 12.1.2 |13.0.0 HF1       |Medium    |SSL profiles    |
|               |11.4.0 - 11.6.2 |12.1.3           |          |(client/server) |
|               |                |12.1.2 HF1       |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |IPSec           |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|BIG-IP PEM     |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |tamd            |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0 - 13.1.0 |                 |          |                |
|               |12.0.0 - 12.1.3 |None             |Medium    |Apache mod_ssl  |
|               |11.4.0 - 11.6.2 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |13.0.0          |                 |          |                |
|               |12.0.0 - 12.1.3 |13.1.0           |Medium    |Big3d           |
|               |11.4.0 - 11.6.2 |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |11.4.0 - 11.4.1 |None             |Medium    |SSL profiles    |
|               |10.2.1 - 10.2.4 |                 |          |(client/server) |
|               +----------------+-----------------+----------+----------------+
|               |11.4.0 - 11.4.1 |None             |Medium    |IPSec           |
|               +----------------+-----------------+----------+----------------+
|               |11.4.0 - 11.4.1 |None             |Medium    |tamd            |
|BIG-IP PSM     |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |11.4.0 - 11.4.1 |None             |Medium    |Apache mod_ssl  |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |11.4.0 - 11.4.1 |None             |Medium    |Big3d           |
|               |10.2.1 - 10.2.4 |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |11.2.1          |None             |Medium    |SSL profiles    |
|               |10.2.1 - 10.2.4 |                 |          |(client/server) |
|               +----------------+-----------------+----------+----------------+
|               |11.2.1          |None             |Medium    |IPSec           |
|               +----------------+-----------------+----------+----------------+
|BIG-IP         |11.2.1          |None             |Medium    |tamd            |
|WebAccelerator |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |11.2.1          |None             |Medium    |Apache mod_ssl  |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |11.2.1          |None             |Medium    |Big3d           |
|               |10.2.1 - 10.2.4 |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |11.2.1          |None             |Medium    |SSL profiles    |
|               |10.2.1 - 10.2.4 |                 |          |(client/server) |
|               +----------------+-----------------+----------+----------------+
|               |11.2.1          |None             |Medium    |IPSec           |
|               +----------------+-----------------+----------+----------------+
|               |11.2.1          |None             |Medium    |tamd            |
|BIG-IP WOM     |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |11.2.1          |None             |Medium    |Apache mod_ssl  |
|               |10.2.1 - 10.2.4 |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |11.2.1          |None             |Medium    |Big3d           |
|               |10.2.1 - 10.2.4 |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|               |                |13.0.0 - 13.1.0  |Not       |                |
|BIG-IP WebSafe |None            |12.0.0 - 12.1.3  |vulnerable|None            |
|               |                |11.6.0 - 11.6.2  |          |                |
+---------------+----------------+-----------------+----------+----------------+
|ARX            |6.2.0 - 6.4.0   |None             |Low       |OpenSSL         |
+---------------+----------------+-----------------+----------+----------------+
|Enterprise     |                |                 |          |Apache          |
|Manager        |3.1.1           |None             |Medium    |OpenSSH         |
|               |                |                 |          |Big3d           |
+---------------+----------------+-----------------+----------+----------------+
|FirePass       |7.0.0           |None             |Low       |OpenSSL         |
+---------------+----------------+-----------------+----------+----------------+
|               |                |                 |          |Webd            |
|BIG-IQ Cloud   |4.0.0 - 4.5.0   |None             |Medium    |OpenSSH         |
|               |                |                 |          |Big3d           |
+---------------+----------------+-----------------+----------+----------------+
|               |                |                 |          |Webd            |
|BIG-IQ Device  |4.2.0 - 4.5.0   |None             |Medium    |OpenSSH         |
|               |                |                 |          |Big3d           |
+---------------+----------------+-----------------+----------+----------------+
|               |                |                 |          |Webd            |
|BIG-IQ Security|4.0.0 - 4.5.0   |None             |Medium    |OpenSSH         |
|               |                |                 |          |Big3d           |
+---------------+----------------+-----------------+----------+----------------+
|               |                |                 |          |Webd            |
|BIG-IQ ADC     |4.5.0           |None             |Medium    |OpenSSH         |
|               |                |                 |          |Big3d           |
+---------------+----------------+-----------------+----------+----------------+
|               |5.0.0 - 5.3.0   |None             |Medium    |Webd            |
|               |4.6.0           |                 |          |                |
|BIG-IQ         +----------------+-----------------+----------+----------------+
|Centralized    |5.0.0 - 5.3.0   |None             |Medium    |OpenSSH         |
|Management     |4.6.0           |                 |          |                |
|               +----------------+-----------------+----------+----------------+
|               |5.0.0 - 5.1.0   |5.2.0 - 5.3.0    |Medium    |Big3d           |
|               |4.6.0           |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+
|BIG-IQ Cloud   |                |                 |          |Webd            |
|and            |1.0.0           |None             |Medium    |OpenSSH         |
|Orchestration  |                |                 |          |Big3d           |
+---------------+----------------+-----------------+----------+----------------+
|               |                |                 |          |Apache          |
|F5 iWorkflow   |2.0.0           |None             |Medium    |OpenSSH         |
|               |                |                 |          |Big3d           |
+---------------+----------------+-----------------+----------+----------------+
|LineRate       |2.5.0 - 2.6.1   |None             |Low       |SSL/TLS         |
+---------------+----------------+-----------------+----------+----------------+
|Traffix SDC    |5.0.0           |None             |Low       |OpenSSL         |
|               |4.0.0 - 4.4.0   |                 |          |                |
+---------------+----------------+-----------------+----------+----------------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.

To determine the necessary upgrade path for your BIG-IQ system, you should
understand the BIG-IQ product offering name changes. For more information,
refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems
.

Mitigation

The following mitigation options are available for the BIG-IP system:

SSL profiles

You can mitigate this issue for the SSL profiles by disabling 3DES (DES-CBC3)
ciphers for the affected profile. For information about configuring the cipher
strength for the SSL profiles, refer to K17370: Configuring the cipher strength
for SSL profiles (12.x - 13.x).

Important: The following mitigation will not work for BIG-IP 13.0.0 due to an
issue being tracked by F5 Product Development as ID 649369. For assistance
mitigating this issue for BIG-IP 13.0.0 please contact F5 Technical Support and
reference this article and ID 649369.

You can disable 3DES in SSL profile ciphers by adding !3DES or -3DES to the
current cipher string in the Ciphers field.

Note: When you use the ! symbol preceding a cipher, the SSL profile permanently
removes the cipher from the cipher list, even if the cipher is explicitly
stated later in the cipher string. When you use the - symbol preceding a
cipher, the SSL profile removes the cipher from the cipher list, but the cipher
can be added back to the cipher list if there are later options that allow it.

For example, if the current cipher string is DEFAULT, the updated cipher string
becomes DEFAULT:!3DES.

Some TLS rating sites treat the ability to negotiate 3DES with TLS 1.2
differently than they treat 3DES availability with TLS 1.0 or TLS 1.1. The
rationale behind this logic is that legacy clients are not expected to
negotiate TLS 1.2 and thus there is no reason for a TLS server to offer 3DES
with TLS 1.2. If you want to enable 3DES with TLS 1.0 and TLS 1.1 only, but not
TLS 1.2, you can use the following cipher string:

- -3DES:TLSv1_1+3DES:TLSv1+3DES.

For example, if the current cipher string is DEFAULT, the updated cipher string
becomes DEFAULT:-3DES:TLSv1_1+3DES:TLSv1+3DES.

Beginning in 12.1.2 HF1 the BIG-IP system implements the TLS session data limit
for 3DES that makes the use of 3DES secure on the BIG-IP system in reference to
the SWEET32 attack. Unfortunately, SSL rating sites cannot easily detect the
presence of this fix. Auditing this fix requires sending of over 1 GB of data
in a single TLS session.

For earlier versions of BIG-IP systems without the data limit fix, you should
take the following alternative steps when 3DES is enabled. Note that you do not
need to take the following steps if only modern block ciphers are enabled, such
as AES or CAMELIA.

Alternatively, if disabling 3DES ciphers is not possible and you are running a
version earlier than 12.1.2 HF1, you can modify the SSL profile and set the
Renegotiation Size setting to 1 GB. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a
negative impact on your system.

 1. Log in to the TMOS Shell (tmsh) by typing the following command:

    tmsh

 2. Change the renegotiation size to 1 GB for the profile using the following
    command syntax:

    modify  /ltm profile client-ssl <profile_name> renegotiate-size 1000

    For example, the following command changes the renegotiation size to 1 GB
    for the SSL profile named MyClientSSL:

    modify  /ltm profile client-ssl MyClientSSL renegotiate-size 1000

 3. Save the changes by typing the following command:

    save /sys config

Authentication profiles (tamd)

To mitigate this issue, disable 3DES on the server side to prevent negotiation
of the vulnerable cipher.

Configuration utility

To mitigate this vulnerability for the Configuration utility, you should permit
management access to F5 products only over a secure network. For more
information, refer to K13092: Overview of securing access to the BIG-IP system.

BIG-IP APM - Oracle Access Manager

To mitigate this vulnerability for Oracle Access Manager (OAM), you should
monitor traffic patterns between the BIG-IP system and back-end OAM systems for
traffic anomalies, or force rekeying on an appropriate interval on their
application server.

IPsec

To mitigate this vulnerability for IPsec, in your IPsec policy, you should use
AES ciphers, or if you cannot use AES ciphers, configure the KBLifetime
to 1048576 KB (1 GB) or less.

BIG-IQ

To mitigate this vulnerability for the big3d component of BIG-IQ, perform the
following procedure:

Impact of procedure: BIG-IQ does not use the big3d component and F5 product
development has removed it starting in BIG-IQ 5.2.0. Performing the following
procedure should not have a negative impact on your system.

 1. Log in to tmsh by typing the following command:

    tmsh

 2. Disable the big3d component which will stop the service and prevent it from
    starting on subsequent reboots by typing the following command:

    modify /sys service big3d disable

Supplemental Information

  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K167: Downloading software and firmware from F5
  o K13123: Managing BIG-IP product hotfixes (11.x - 13.x)
  o K9502: BIG-IP hotfix matrix
  o K15106: Managing BIG-IQ product hotfixes
  o K15113: BIG-IQ hotfix matrix
  o K10322: FirePass hotfix matrix
  o K12766: ARX hotfix matrix

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWksDIox+lLeg9Ub1AQj+xA/9Fy8/ZmaFAuyP3kRZ68lykTUGL8Tc4ckN
FwISOzntxpI/Cct646ayaVT97FcRzw/2I2YR7cNLRLcXaNma/wTbLmhQIzG/5mKh
HUaBXlArVDHRWYFnBzY1kIAjvRdykyW5JxW++lFpuNSRUlwU7kpYs3MTbHyOl6CF
8lFRZpYpit5Mgf0SUpQY8I5e7jyZyPQF2irQJtKCiduFBJ7fpgy3FwBZ1KG+OTQK
XCIp6AqKokTRvqDkZUNiFi+VEn/aoBf7zM3kWwaCqtbTBJtiWzSDirD3O25Brw6K
1wKII14x9qslpmFkDTqhoV+cGi9Bt2vo/klexgt5Reu4XNBriC3EmmUgLqPZy2sl
12xThrE4P9o3/bMiErsME1dZ0YEbcx3/Dmfqg8kbjXs9XjxvvoXwTRlZVvPHVWZX
fhDDJ7gvvDDIwVIoiXg9E+OJFpn0LS+BkM2oDTUrmUSafljNo+LleHUEa1i7pUqf
UhkBZqtSCuXwTJL2dpF1Q1jbIDYJP5kV0zg4tdVazj+NZUjL6+U33268hioD03BA
BAP57qRRDyACgx86B6vrnd4ylX2trU4qelCUfpn1ATJjU/K0cVMh+HrIZV6TuqTN
THDrCIWcRNxGC/znwI2SFeITAOFj4fAU0w6f926cOU9LOdQ7xPV1mxaaZCEE1he0
QGy1KayK+IM=
=MQuW
-----END PGP SIGNATURE-----