ESB-2018.1014 - [Appliance] F5 BIG-IP Products: Access privileged data - Remote/unauthenticated 2018-04-05
Printable versionPGP/GPG verifiable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1014 K14638:TLS/SSL RC4 vulnerability CVE-2013-2566 5 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP Products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-2566 Reference: ASB-2017.0047 ASB-2016.0074 ESB-2016.2258 ESB-2015.1576 Original Bulletin: https://support.f5.com/csp/article/K14638 - --------------------------BEGIN INCLUDED TEXT-------------------- K14638:TLS/SSL RC4 vulnerability CVE-2013-2566 Security Advisory Original Publication Date: 28 Aug, 2013 Latest Publication Date: 04 Apr, 2018 Security Advisory Description The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. (CVE-2013-2566) Impact Remote attackers may be able to conduct plaintext-recovery attacks using statistical analysis of ciphertext. Security Advisory Status F5 Product Development has assigned ID 430947 (BIG-IP and FirePass) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H478228 on the Diagnostics > Identified > Medium page. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. +--------------+-------------------+---------------------+-------------------+ | |Versions known to |Versions known to be |Vulnerable | |Product |be vulnerable |not vulnerable |component or | | | | |feature | +--------------+-------------------+---------------------+-------------------+ | |11.0.0 - 11.5.5 |13.0.0 - 13.1.0* |Configuration | |BIG-IP LTM |10.0.0 - 10.2.4 |12.0.0 - 12.1.3* |utility | | |9.0.0 - 9.6.1 |11.6.0 - 11.6.3* |SSL virtual servers| +--------------+-------------------+---------------------+-------------------+ | | |13.0.0 - 13.1.0* |Configuration | |BIG-IP AAM |11.4.0 - 11.5.5 |12.0.0 - 12.1.3* |utility | | | |11.6.0 - 11.6.3* |SSL virtual servers| +--------------+-------------------+---------------------+-------------------+ | | |13.0.0 - 13.1.0* |Configuration | |BIG-IP AFM |11.3.0 - 11.5.5 |12.0.0 - 12.1.3* |utility | | | |11.6.0 - 11.6.3* |SSL virtual servers| +--------------+-------------------+---------------------+-------------------+ |BIG-IP | |13.0.0 - 13.1.0* |Configuration | |Analytics |11.0.0 - 11.5.5 |12.0.0 - 12.1.3* |utility | | | |11.6.0 - 11.6.3* |SSL virtual servers| +--------------+-------------------+---------------------+-------------------+ | |11.0.0 - 11.5.5 |13.0.0 - 13.1.0* |Configuration | |BIG-IP APM |10.1.0 - 10.2.4 |12.0.0 - 12.1.3* |utility | | | |11.6.0 - 11.6.3* |SSL virtual servers| +--------------+-------------------+---------------------+-------------------+ | |11.0.0 - 11.5.5 |13.0.0 - 13.1.0* |Configuration | |BIG-IP ASM |10.0.0 - 10.2.4 |12.0.0 - 12.1.3* |utility | | |9.2.0 - 9.4.8 |11.6.0 - 11.6.3* |SSL virtual servers| +--------------+-------------------+---------------------+-------------------+ |BIG-IP DNS |None |13.0.0 - 13.1.0* |None | | | |12.0.0 - 12.1.3* | | +--------------+-------------------+---------------------+-------------------+ |BIG-IP Edge |11.0.0 - 11.3.0 | |Configuration | |Gateway |10.1.0 - 10.2.4 |None |utility | | | | |SSL virtual servers| +--------------+-------------------+---------------------+-------------------+ | |11.0.0 - 11.5.5 | |Configuration | |BIG-IP GTM |10.0.0 - 10.2.4 |11.6.0 - 11.6.3* |utility | | |9.2.2 - 9.4.8 | | | +--------------+-------------------+---------------------+-------------------+ |BIG-IP Link |11.0.0 - 11.5.5 |13.0.0 - 13.1.0* |Configuration | |Controller |10.0.0 - 10.2.4 |12.0.0 - 12.1.3* |utility | | |9.2.2 - 9.4.8 |11.6.0 - 11.6.3* |SSL virtual servers| +--------------+-------------------+---------------------+-------------------+ | | |13.0.0 - 13.1.0* |Configuration | |BIG-IP PEM |11.3.0 - 11.5.5 |12.0.0 - 12.1.3* |utility | | | |11.6.0 - 11.6.3* |SSL virtual servers| +--------------+-------------------+---------------------+-------------------+ | |11.0.0 - 11.4.1 | |Configuration | |BIG-IP PSM |10.0.0 - 10.2.4 |None |utility | | |9.4.5 - 9.4.8 | |SSL virtual servers| +--------------+-------------------+---------------------+-------------------+ |BIG-IP |11.0.0 - 11.3.0 | |Configuration | |WebAccelerator|10.0.0 - 10.2.4 |None |utility | | |9.4.0 - 9.4.8 | |SSL virtual servers| +--------------+-------------------+---------------------+-------------------+ | |11.0.0 - 11.3.0 | |Configuration | |BIG-IP WOM |10.0.0 - 10.2.4 |None |utility | | | | |SSL virtual servers| +--------------+-------------------+---------------------+-------------------+ | |6.0.0 - 6.4.0 | |ARX Manager GUI | |ARX |5.0.0 - 5.3.1 |None |API (disabled by | | | | |default) | +--------------+-------------------+---------------------+-------------------+ |Enterprise |3.0.0 - 3.1.1 | |Configuration | |Manager |2.0.0 - 2.3.0 |None |utility | | |1.6.0 - 1.8.0 | | | +--------------+-------------------+---------------------+-------------------+ | |7.0.0 | |Administrative | |FirePass |6.0.0 - 6.1.0 |None** |interface | | | | |WebServices | +--------------+-------------------+---------------------+-------------------+ |BIG-IQ Cloud |4.0.0 - 4.5.0 |None |Configuration | | | | |utility | +--------------+-------------------+---------------------+-------------------+ |BIG-IQ |4.0.0 - 4.5.0 |None |Configuration | |Security | | |utility | +--------------+-------------------+---------------------+-------------------+ |BIG-IQ Device |4.2.0 - 4.5.0 |None |Configuration | | | | |utility | +--------------+-------------------+---------------------+-------------------+ |BIG-IQ ADC |4.5.0 |None |Configuration | | | | |utility | +--------------+-------------------+---------------------+-------------------+ * Beginning in BIG-IP 11.6.0 and 12.0.0, the RC4 cipher suite is removed from the DEFAULT cipher suite. If you manually add the RC4 cipher suite to the cipher suite you use for SSL virtual servers or the Configuration utility, then BIG-IP 11.6.0 or later will be vulnerable. ** See the FirePass section of the Security Advisory Recommended Actions section. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. This TLS/Secure Sockets Layer (SSL) vulnerability constitutes an inherent flaw in the RC4 cipher. While it is possible to mitigate this vulnerability by disabling the RC4 cipher for the vulnerable component/feature, administrators were advised to use the RC4 cipher to mitigate other vulnerabilities, such as the BEAST and Lucky 13 attacks. For instructions to disable ciphers on SSL profiles, refer to K13171: Configuring the cipher strength for SSL profiles (11.x) or K7815: Configuring the cipher strength for SSL profiles (9.x - 10.x), depending on your version. For instructions to disable ciphers in the Configuration utility, refer to K13405: Restricting Configuration utility access to clients using high encryption SSL ciphers or K6768: Restricting Configuration utility access to clients using high encryption SSL ciphers (9.x - 10.x), depending on your version. You can also mitigate this Configuration utility vulnerability by permitting access to the system only over a secure network. For more information about the various TLS protocol level attacks and F5 recommendations for mitigating the attacks, refer to the Which TLS algorithm should I use DevCentral article. Note: A separate DevCentral login is required to access this content. To mitigate this vulnerability for the Configuration utility, you should permit access only over a secure network. FirePass For information about the hotfix status, contact F5 Technical Support. ARX To mitigate this vulnerability, you should permit access to the ARX GUI only over a secure network. Additionally, you should not enable the API functionality. Supplemental Information o K8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles o K4602: Overview of the F5 security vulnerability response policy o K13163: SSL ciphers supported on BIG-IP platforms (11.x - 13.x) o K11444: SSL ciphers supported on BIG-IP platforms (10.x) o K13156: SSL ciphers used in the default SSL profiles (11.x - 13.x) o K10262: SSL ciphers used in the default SSL profiles (10.x) o K9677: BIG-IP LTM compliance with standard FIPS-197 o K9970: Subscribing to email notifications regarding F5 products - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWsVfkox+lLeg9Ub1AQj3Ug//WwbK3y/EYvviAaWK3RP0eIfXVSjVzYyr vujoig/et1XAHzQSrlslwtsgadF4i1D8L2HBoGHjYOvkWShBHYqzySn9bBjve1RU xRdx2TcE81Q9iJCAC2z0fIE8Xwzef8avkrot6m+PmgF/WsReA/Z5CcqP6KxAz5nJ cfa6gBetPRsiaE74nooP8Pcm+95ujYmZHaiy4BUzfLMn5BidhQhOFx4bEcBCvXvI Y0lDR4T1ryJ0RRTqbD2/9ksn5jeZqB8DZOdlV94JLrFwSPCTZYf88nl18NQKMm5C VBsOkbNBAR9um4EkgfN106iOcDnP/nrogDUSP+SSy1RwzNbCdtD+byJkgpRF9S6X 22xJlzgYPYsnrmNTsWJAot0+7MoxKCLMbHA68fpdgzEIVGmDqldHM0nGupFmUmYR 1FiLG846qHNxu07dJTjRwSCGG1usAVJttuDW1MidfYih8jXxmQvz1s58T7YR5q00 mGL32mVxwFDyry1sJ9QD1rWBICGy5cVgx73TaYdWhlgN3XCwZ2ZXeIA60/JzCbXl hKsDQq2A077N+ThFqzGNC5trwBxX6AK5rsCHmXOek4SRvBWiXHYcoqwHsZ+Xy+Gd 3ZVvSp0fPuJYJwP/Gjq+Lihp3AjDXb350JAGDt+ybYtOWz2D8Qx0mhVwcDIooWWo RNOEOLpyJ/g= =E8pA -----END PGP SIGNATURE-----« Back to bulletins