ESB-2018.1014 - [Appliance] F5 BIG-IP Products: Access privileged data - Remote/unauthenticated 2018-04-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1014
              K14638:TLS/SSL RC4 vulnerability CVE-2013-2566
                               5 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP Products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-2566  

Reference:         ASB-2017.0047
                   ASB-2016.0074
                   ESB-2016.2258
                   ESB-2015.1576

Original Bulletin: 
   https://support.f5.com/csp/article/K14638

- --------------------------BEGIN INCLUDED TEXT--------------------

K14638:TLS/SSL RC4 vulnerability CVE-2013-2566

Security Advisory

Original Publication Date: 28 Aug, 2013

Latest   Publication Date: 04 Apr, 2018

Security Advisory Description

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many
single-byte biases, which makes it easier for remote attackers to conduct
plaintext-recovery attacks via statistical analysis of ciphertext in a large
number of sessions that use the same plaintext. (CVE-2013-2566)

Impact

Remote attackers may be able to conduct plaintext-recovery attacks using
statistical analysis of ciphertext.


Security Advisory Status

F5 Product Development has assigned ID 430947 (BIG-IP and FirePass) to this
vulnerability. Additionally, BIG-IP iHealth may list Heuristic H478228 on the
Diagnostics > Identified > Medium page.

To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table.

+--------------+-------------------+---------------------+-------------------+
|              |Versions known to  |Versions known to be |Vulnerable         |
|Product       |be vulnerable      |not vulnerable       |component or       |
|              |                   |                     |feature            |
+--------------+-------------------+---------------------+-------------------+
|              |11.0.0 - 11.5.5    |13.0.0 - 13.1.0*     |Configuration      |
|BIG-IP LTM    |10.0.0 - 10.2.4    |12.0.0 - 12.1.3*     |utility            |
|              |9.0.0 - 9.6.1      |11.6.0 - 11.6.3*     |SSL virtual servers|
+--------------+-------------------+---------------------+-------------------+
|              |                   |13.0.0 - 13.1.0*     |Configuration      |
|BIG-IP AAM    |11.4.0 - 11.5.5    |12.0.0 - 12.1.3*     |utility            |
|              |                   |11.6.0 - 11.6.3*     |SSL virtual servers|
+--------------+-------------------+---------------------+-------------------+
|              |                   |13.0.0 - 13.1.0*     |Configuration      |
|BIG-IP AFM    |11.3.0 - 11.5.5    |12.0.0 - 12.1.3*     |utility            |
|              |                   |11.6.0 - 11.6.3*     |SSL virtual servers|
+--------------+-------------------+---------------------+-------------------+
|BIG-IP        |                   |13.0.0 - 13.1.0*     |Configuration      |
|Analytics     |11.0.0 - 11.5.5    |12.0.0 - 12.1.3*     |utility            |
|              |                   |11.6.0 - 11.6.3*     |SSL virtual servers|
+--------------+-------------------+---------------------+-------------------+
|              |11.0.0 - 11.5.5    |13.0.0 - 13.1.0*     |Configuration      |
|BIG-IP APM    |10.1.0 - 10.2.4    |12.0.0 - 12.1.3*     |utility            |
|              |                   |11.6.0 - 11.6.3*     |SSL virtual servers|
+--------------+-------------------+---------------------+-------------------+
|              |11.0.0 - 11.5.5    |13.0.0 - 13.1.0*     |Configuration      |
|BIG-IP ASM    |10.0.0 - 10.2.4    |12.0.0 - 12.1.3*     |utility            |
|              |9.2.0 - 9.4.8      |11.6.0 - 11.6.3*     |SSL virtual servers|
+--------------+-------------------+---------------------+-------------------+
|BIG-IP DNS    |None               |13.0.0 - 13.1.0*     |None               |
|              |                   |12.0.0 - 12.1.3*     |                   |
+--------------+-------------------+---------------------+-------------------+
|BIG-IP Edge   |11.0.0 - 11.3.0    |                     |Configuration      |
|Gateway       |10.1.0 - 10.2.4    |None                 |utility            |
|              |                   |                     |SSL virtual servers|
+--------------+-------------------+---------------------+-------------------+
|              |11.0.0 - 11.5.5    |                     |Configuration      |
|BIG-IP GTM    |10.0.0 - 10.2.4    |11.6.0 - 11.6.3*     |utility            |
|              |9.2.2 - 9.4.8      |                     |                   |
+--------------+-------------------+---------------------+-------------------+
|BIG-IP Link   |11.0.0 - 11.5.5    |13.0.0 - 13.1.0*     |Configuration      |
|Controller    |10.0.0 - 10.2.4    |12.0.0 - 12.1.3*     |utility            |
|              |9.2.2 - 9.4.8      |11.6.0 - 11.6.3*     |SSL virtual servers|
+--------------+-------------------+---------------------+-------------------+
|              |                   |13.0.0 - 13.1.0*     |Configuration      |
|BIG-IP PEM    |11.3.0 - 11.5.5    |12.0.0 - 12.1.3*     |utility            |
|              |                   |11.6.0 - 11.6.3*     |SSL virtual servers|
+--------------+-------------------+---------------------+-------------------+
|              |11.0.0 - 11.4.1    |                     |Configuration      |
|BIG-IP PSM    |10.0.0 - 10.2.4    |None                 |utility            |
|              |9.4.5 - 9.4.8      |                     |SSL virtual servers|
+--------------+-------------------+---------------------+-------------------+
|BIG-IP        |11.0.0 - 11.3.0    |                     |Configuration      |
|WebAccelerator|10.0.0 - 10.2.4    |None                 |utility            |
|              |9.4.0 - 9.4.8      |                     |SSL virtual servers|
+--------------+-------------------+---------------------+-------------------+
|              |11.0.0 - 11.3.0    |                     |Configuration      |
|BIG-IP WOM    |10.0.0 - 10.2.4    |None                 |utility            |
|              |                   |                     |SSL virtual servers|
+--------------+-------------------+---------------------+-------------------+
|              |6.0.0 - 6.4.0      |                     |ARX Manager GUI    |
|ARX           |5.0.0 - 5.3.1      |None                 |API (disabled by   |
|              |                   |                     |default)           |
+--------------+-------------------+---------------------+-------------------+
|Enterprise    |3.0.0 - 3.1.1      |                     |Configuration      |
|Manager       |2.0.0 - 2.3.0      |None                 |utility            |
|              |1.6.0 - 1.8.0      |                     |                   |
+--------------+-------------------+---------------------+-------------------+
|              |7.0.0              |                     |Administrative     |
|FirePass      |6.0.0 - 6.1.0      |None**               |interface          |
|              |                   |                     |WebServices        |
+--------------+-------------------+---------------------+-------------------+
|BIG-IQ Cloud  |4.0.0 - 4.5.0      |None                 |Configuration      |
|              |                   |                     |utility            |
+--------------+-------------------+---------------------+-------------------+
|BIG-IQ        |4.0.0 - 4.5.0      |None                 |Configuration      |
|Security      |                   |                     |utility            |
+--------------+-------------------+---------------------+-------------------+
|BIG-IQ Device |4.2.0 - 4.5.0      |None                 |Configuration      |
|              |                   |                     |utility            |
+--------------+-------------------+---------------------+-------------------+
|BIG-IQ ADC    |4.5.0              |None                 |Configuration      |
|              |                   |                     |utility            |
+--------------+-------------------+---------------------+-------------------+

* Beginning in BIG-IP 11.6.0 and 12.0.0, the RC4 cipher suite is removed from
the DEFAULT cipher suite. If you manually add the RC4 cipher suite to the
cipher suite you use for SSL virtual servers or the Configuration utility,
then BIG-IP 11.6.0 or later will be vulnerable.

** See the FirePass section of the Security Advisory Recommended Actions
section.


Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable 
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.

This TLS/Secure Sockets Layer (SSL) vulnerability constitutes an inherent flaw
in the RC4 cipher. While it is possible to mitigate this vulnerability by
disabling the RC4 cipher for the vulnerable component/feature, administrators
were advised to use the RC4 cipher to mitigate other vulnerabilities, such as
the BEAST and Lucky 13 attacks.

For instructions to disable ciphers on SSL profiles, refer to K13171:
Configuring the cipher strength for SSL profiles (11.x) or K7815: Configuring
the cipher strength for SSL profiles (9.x - 10.x), depending on your version.

For instructions to disable ciphers in the Configuration utility, refer to
K13405: Restricting Configuration utility access to clients using high
encryption SSL ciphers or K6768: Restricting Configuration utility access to
clients using high encryption SSL ciphers (9.x - 10.x), depending on your
version. You can also mitigate this Configuration utility vulnerability by
permitting access to the system only over a secure network.

For more information about the various TLS protocol level attacks and F5
recommendations for mitigating the attacks, refer to the Which TLS algorithm
should I use DevCentral article.

Note: A separate DevCentral login is required to access this content.

To mitigate this vulnerability for the Configuration utility, you should
permit access only over a secure network.

FirePass

For information about the hotfix status, contact F5 Technical Support.

ARX

To mitigate this vulnerability, you should permit access to the ARX GUI only
over a secure network. Additionally, you should not enable the API
functionality.


Supplemental Information

  o K8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles
  o K4602: Overview of the F5 security vulnerability response policy
  o K13163: SSL ciphers supported on BIG-IP platforms (11.x - 13.x)
  o K11444: SSL ciphers supported on BIG-IP platforms (10.x)
  o K13156: SSL ciphers used in the default SSL profiles (11.x - 13.x)
  o K10262: SSL ciphers used in the default SSL profiles (10.x)
  o K9677: BIG-IP LTM compliance with standard FIPS-197
  o K9970: Subscribing to email notifications regarding F5 products

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWsVfkox+lLeg9Ub1AQj3Ug//WwbK3y/EYvviAaWK3RP0eIfXVSjVzYyr
vujoig/et1XAHzQSrlslwtsgadF4i1D8L2HBoGHjYOvkWShBHYqzySn9bBjve1RU
xRdx2TcE81Q9iJCAC2z0fIE8Xwzef8avkrot6m+PmgF/WsReA/Z5CcqP6KxAz5nJ
cfa6gBetPRsiaE74nooP8Pcm+95ujYmZHaiy4BUzfLMn5BidhQhOFx4bEcBCvXvI
Y0lDR4T1ryJ0RRTqbD2/9ksn5jeZqB8DZOdlV94JLrFwSPCTZYf88nl18NQKMm5C
VBsOkbNBAR9um4EkgfN106iOcDnP/nrogDUSP+SSy1RwzNbCdtD+byJkgpRF9S6X
22xJlzgYPYsnrmNTsWJAot0+7MoxKCLMbHA68fpdgzEIVGmDqldHM0nGupFmUmYR
1FiLG846qHNxu07dJTjRwSCGG1usAVJttuDW1MidfYih8jXxmQvz1s58T7YR5q00
mGL32mVxwFDyry1sJ9QD1rWBICGy5cVgx73TaYdWhlgN3XCwZ2ZXeIA60/JzCbXl
hKsDQq2A077N+ThFqzGNC5trwBxX6AK5rsCHmXOek4SRvBWiXHYcoqwHsZ+Xy+Gd
3ZVvSp0fPuJYJwP/Gjq+Lihp3AjDXb350JAGDt+ybYtOWz2D8Qx0mhVwcDIooWWo
RNOEOLpyJ/g=
=E8pA
-----END PGP SIGNATURE-----

« Back to bulletins