ESB-2018.1943.3 - UPDATE [Appliance] F5 products: Access privileged data - Existing account 2018-07-10

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.1943.3
          K51801290: RSRE Variant 3a vulnerability CVE-2018-3640
                               10 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP products
                   F5 Enterprise Manager
                   F5 BIG-IQ products
                   F5 iWorkflow
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Mitigation
CVE Names:         CVE-2018-3640  

Reference:         ASB-2018.0121
                   ESB-2018.1750
                   ESB-2018.1573
                   ESB-2018.1548.6

Original Bulletin: 
   https://support.f5.com/csp/article/K51801290

Revision History:  July 10 2018: Added Heuristic H51801290.
                   July  6 2018: Updated table of affected products.
                   July  4 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K51801290: RSRE Variant 3a vulnerability CVE-2018-3640

Security Advisory

Original Publication Date: Jul 04, 2018
Updated Date: Jul 06, 2018

Security Advisory Description

Systems with microprocessors utilizing speculative execution and that perform
speculative reads of system registers may allow unauthorized disclosure of
system parameters to an attacker with local user access via a side-channel
analysis, aka Rogue System Register Read (RSRE), Variant 3a. (CVE-2018-3640)

Impact

There is no exposure on BIG-IP products by way of the data plane. All exposure
is limited to the control plane, also known as the management plane. On the
control plane, the vulnerabilities are exploitable only by the following four
authorized, authenticated account roles: Administrator, Resource Administrator,
Manager, and iRules Manager. You must be authorized to access the system in one
of these roles to attempt to exploit the vulnerabilities.

This vulnerability requires an attacker who can provide and run binary code of
their choosing on the BIG-IP platform. As a result, these conditions severely
restrict the exposure risk of BIG-IP products.

For single-tenancy products, such as a standalone BIG-IP device, the risk is
limited to a local, authorized user employing one of the vulnerabilities to
read information from memory that they would not normally access, exceeding
their privileges. A user may be able to access kernel-space memory, instead of
their own user-space.

For multi-tenancy environments, such as cloud, Virtual Edition (VE), and
Virtual Clustered Multiprocessing (vCMP), the same local kernel memory access
risk applies as in single-tenancy environments. Additionally, the risk of
attacks across guests exists, or attacks against the hypervisor/host. In cloud
and VE environments, preventing these new attacks falls on the hypervisor/host
platform, which is outside the scope of F5's ability to support or patch.
Contact your cloud provider or hypervisor vendor to ensure their platforms or
products are protected against Spectre Variants.

For vCMP environments, while the Spectre Variant attacks offer a theoretical
possibility of guest-to-guest or guest-to-host attacks, they are difficult to
successfully conduct in the BIG-IP environment. The primary risk in the vCMP
environment with Spectre Variants only exists when vCMP guests are configured
to use a single core. If the vCMP guests are configured to use two or more
cores, the Spectre Variant vulnerabilities are eliminated.

F5 is working with its hardware component vendors to determine the scope of
vulnerabilities across its various generations of hardware platforms. All of
the current information from F5's vendors is represented in this security
advisory. F5 is working to obtain the remaining information from its vendors
and will update the security advisory as F5 receives new information regarding
its hardware platforms.

F5 is also testing the fixes produced by the Linux community, and is conducting
an extensive test campaign to characterize the impact of the fixes on system
performance and stability to ensure a good experience for its customers. F5
does not want to rush the process and release fixes without a full
understanding of potential issues. Given the limited exposure, the complexity
of the fixes, and the potential issues, a detailed approach is warranted and
rushing a fix could result in an impact to system stability or unacceptable
performance costs. F5 will update this article with fixes as they become
available.

Security Advisory Status

F5 Product Development has assigned ID 721501 (BIG-IP), ID 721951 (BIG-IQ), ID
345678 (Enterprise Manager), and ID 721955 (BIG-IQ) to this vulnerability.
Additionally, BIG-IP iHealth may list Heuristic H51801290 on the
Diagnostics > Identified > Low page.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases or hotfixes that
address the vulnerability, refer to the following table. For more information
about security advisory versioning, refer to K51812227: Understanding Security
Advisory versioning.

+-----------------------------------------------------------------------------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score |component |
|                   |      |be        |in        |          |      |or feature|
|                   |      |vulnerable|          |          |      |          |
|-------------------+------+----------+----------+----------+------+----------|
|BIG-IP (LTM, AAM,  |13.x  |13.0.0 -  |None      |          |      |          |
|AFM, Analytics,    |      |13.1.0    |          |          |      |          |
|APM, ASM, DNS, Edge|------+----------+----------|          |      |F5        |
|Gateway, FPS, GTM, |12.x  |12.1.0 -  |None      |Low       |2.8   |hardware  |
|Link Controller,   |      |12.1.3    |          |          |      |platforms |
|PEM,               |------+----------+----------|          |      |          |
|WebAccelerator)    |11.x  |11.2.1 -  |None      |          |      |          |
|                   |      |11.6.3    |          |          |      |          |
|-------------------+------+----------+----------+----------+------+----------|
|ARX                |6.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
|-------------------+------+----------+----------+----------+------+----------|
|                   |      |          |          |          |      |F5        |
|Enterprise Manager |3.x   |3.1.1     |None      |Low       |2.8   |hardware  |
|                   |      |          |          |          |      |platforms |
|-------------------+------+----------+----------+----------+------+----------|
|                   |6.x   |6.0.0     |None      |          |      |          |
|                   |------+----------+----------|          |      |F5        |
|BIG-IQ Centralized |5.x   |5.0.0 -   |None      |Low       |2.8   |hardware  |
|Management         |      |5.4.0     |          |          |      |platforms |
|                   |------+----------+----------|          |      |          |
|                   |4.x   |4.6.0     |None      |          |      |          |
|-------------------+------+----------+----------+----------+------+----------|
|BIG-IQ Cloud and   |      |          |          |          |      |F5        |
|Orchestration      |1.x   |1.0.0     |None      |Low       |2.8   |hardware  |
|                   |      |          |          |          |      |platforms |
|-------------------+------+----------+----------+----------+------+----------|
|                   |      |2.1.0 -   |          |          |      |F5        |
|F5 iWorkflow       |2.x   |2.3.0     |None      |Low       |2.8   |hardware  |
|                   |      |          |          |          |      |platforms |
|-------------------+------+----------+----------+----------+------+----------|
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|Not       |      |          |
|Traffix SDC        |------+----------+----------|vulnerable|None  |None      |
|                   |4.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-----------------------------------------------------------------------------+

Vulnerable platforms

Only one entry is shown in this table for platform models that may have several
variants, for example BIG-IP 11000, BIG-IP 11050, BIG-IP 11050F, BIG-IP 11050N
are all vulnerable and included in the table as: BIG-IP 110x0.  

Some platforms have multiple vendor processors that have one or more Intel core
processor(s), and a vulnerable ARM processor in one or more subsystems. F5
investigated the use of ARM processors and while vulnerable processors are
used, those processors do not handle privileged information; they are limited
to running signed firmware from F5 with no capability to execute user-specified
code.

+----------------------------------------------------------+
|Product           |Model     |Processor type(s)|Vulnerable|
|------------------+----------+-----------------+----------|
|BIG-IP            |B21x0     |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |B2250     |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |B4100     |AMD              |N         |
|------------------+----------+-----------------+----------|
|BIG-IP            |B4200     |AMD              |N         |
|------------------+----------+-----------------+----------|
|BIG-IP            |B43x0     |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |B44x0     |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |B2xx0     |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |B4xx0     |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |B5xx0     |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |B7xx0     |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |B210xxx   |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |B12xx0    |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |i2x00     |Intel, ARM       |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |i4x00     |Intel, ARM       |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |i5x00     |Intel, ARM       |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |i7x00     |Intel, ARM       |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |i10x00    |Intel, ARM       |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |800       |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |1600      |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |3600      |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |3900      |Intel            |Y         |
|------------------+----------+-----------------+----------|
|BIG-IP            |6900      |AMD              |N         |
|------------------+----------+-----------------+----------|
|BIG-IP            |89x0      |AMD              |N         |
|------------------+----------+-----------------+----------|
|BIG-IP            |110x0     |AMD              |N         |
|------------------+----------+-----------------+----------|
|BIG-IP            |6400      |AMD              |N         |
|------------------+----------+-----------------+----------|
|BIG-IQ            |7000      |Intel            |Y         |
|------------------+----------+-----------------+----------|
|Enterprise Manager|4000      |Intel            |Y         |
|------------------+----------+-----------------+----------|
|FirePass          |FP12xx    |Intel            |N         |
|------------------+----------+-----------------+----------|
|FirePass          |FP41xx    |AMD              |N         |
|------------------+----------+-----------------+----------|
|FirePass          |FP43xx    |AMD              |N         |
|------------------+----------+-----------------+----------|
|ARX               |1500+     |Intel            |Y         |
|------------------+----------+-----------------+----------|
|ARX               |2500      |Intel            |Y         |
|------------------+----------+-----------------+----------|
|ARX               |4000/4000+|Intel            |Y         |
+----------------------------------------------------------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW0QF0WaOgq3Tt24GAQj9HQ/+IfNHUTeMq7NaqQNkmsY5jHj1Ipu2dLfv
E2gJvtMUAOreAgNAeyOzmT03LJLQQ4xvfs+ihCM6qCZ60Uu+GveYlGS7BwORtNFG
d5mH7G5q/SMa5ZvlEcvyVqX6SFHSoiU7hqzkVA3M/0oZ4X32B2RfJr78dNhPxmf/
nPVJRVS5nQRdnAOVxUSi4eQVecFbiP7fLjIL+rj6/U68OtrpIHWEL4fCdR4wXTKY
eNxOoxVYudQlBvM4J0ACw8mSEkPzNNG7yGQ2L6lcWvmFncx29oG8/Crdz8mNkg2e
I/gVbupSVFfWyJ6e5PCe9fwSz4qNhxM7mrPAap506uP+4Avc8SSEaMRZrVnzh/Ml
OgOKifbjImjgToD8h+kgFxX+GEAteRIYrVkTP5iBXd34WsWnCftVa8u0JZj164oV
htuXCBgg1IlNEHvTEqqSqX3PcRgB+Aik6QgufOIanLG+FQZ5fMHtzihv1jf8WnrT
3ezYTgnjnxP2JOU8oaI6yEaw6HmYM9iZUwd7AZYwq868jIhzhSTfHAeyCLOc3VRD
leYC6ov3WGx505luaL3C5kLQ0Q2RZhfsvKXSlcvUYUniSGEk/sQSKsq+ZLvuE8+o
QPYvYiYAfhZugORleH+KAHGxqffPZh10LovKiIPr9HpPMgnCss6C1CQopOVgnpeG
87O4LWJGBsU=
=MLep
-----END PGP SIGNATURE-----

« Back to bulletins