ESB-2018.1944 - [Appliance] F5 products: Access privileged data - Existing account 2018-07-04

Printable version
PGP/GPG verifiable version

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

           K29146534: SBB Variant 4 vulnerability CVE-2018-3639
                                4 July 2018


        AusCERT Security Bulletin Summary

Product:           F5 BIG-IP products
                   F5 Enterprise Manager
                   F5 BIG-IQ products
                   F5 iWorkflow
                   F5 Traffix SDC
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        None
CVE Names:         CVE-2018-3639  

Reference:         ASB-2018.0121

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

K29146534: SBB Variant 4 vulnerability CVE-2018-3639

Security Advisory

Original Publication Date: Jul 04, 2018

Security Advisory Description

Systems with microprocessors utilizing speculative execution and speculative
execution of memory reads before the addresses of all prior memory writes are
known may allow unauthorized disclosure of information to an attacker with
local user access via a side-channel analysis, aka Speculative Store Bypass
(SSB), Variant 4. (CVE-2018-3639) 


All exposure is limited to the control plane (also known as the management
plane). There is no exposure on BIG-IP products by way of the data plane.

Additionally, on the control plane, the vulnerabilities are exploitable only by
four authorized, authenticated account roles: Administrator, Resource
Administrator, Manager, and iRules Manager. An attacker must be authorized to
access the system in one of these roles to even attempt to exploit the

Both vulnerabilities require an attacker who can provide and run binary code of
their choosing on the BIG-IP platform.

These conditions severely restrict the exposure risk of BIG-IP products.

Single-tenancy products

For single-tenancy products, such as a standalone BIG-IP appliance, the risk is
limited to a local, authorized user using one of the vulnerabilities to read
information from memory that they would not normally be able to access,
exceeding their privileges. Effectively, the risk in a single-tenancy situation
is that a user may be able to access kernel-space memory, instead of being
limited to their own user-space.

Multi-tenancy environments

For multi-tenancy environments, such as cloud, VE, and Virtual Clustered
Multiprocessing (vCMP), the same local risk applies as with single-tenancy
environments - local kernel memory access. Additionally, there is a risk of
attacks across guests, or attacks against the hypervisor or host. In cloud and
VE environments, preventing these new attacks falls on the hypervisor or host
platform, outside the scope of F5's ability to support or patch. Please contact
your cloud provider or hypervisor vendor to ensure their platforms or products
are protected against Spectre variants.

For vCMP environments, F5 believes that while the Spectre Variant attacks offer
a theoretical possibility of guest-to-guest or guest-to-host attacks, these
would be very difficult to successfully conduct in the BIG-IP environment. The
primary risk in the vCMP environment with Spectre variants only exists when
vCMP guests are configured to use a single core. If the vCMP guests are
configured to use two or more cores, the Spectre Variant vulnerabilities are

Vulnerability research

F5 is working with our hardware component vendors to determine the scope of
vulnerabilities across our various generations of hardware platforms. All of
the information we currently have from our vendors is represented in this
security advisory. We are working to obtain the remaining information from our
vendors and will update the security advisory as we receive new information
about our hardware platforms.

We are also testing the fixes produced by the Linux community. We are
conducting an extensive test campaign to characterize the impact of the fixes
on system performance and stability to ensure, as best we can, a good
experience for our customers. We do not want to rush the process and release
fixes without a full understanding of any potential issues. Given the limited
exposure, as previously mentioned, the complexity of the fixes, and the
potential issues that we and others have seen, we believe a detailed approach
is warranted and that rushing a fix could result in an impact to system
stability or unacceptable performance costs. We will update this article with
details of our fixes as they become available.

Security Advisory Status

F5 Product Development has assigned IDs 721319, 721555, and 721556 (BIG-IP), ID
721949 (BIG-IQ), ID 721945 (Enterprise Manager), and CPF-24903 and CPF-24904
(Traffix) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases or hotfixes that
address the vulnerability, refer to the following table. For more information
about security advisory versioning, refer to K51812227: Understanding Security
Advisory versioning.

|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score |component |
|                   |      |be        |in        |          |      |or feature|
|                   |      |vulnerable|          |          |      |          |
|BIG-IP (LTM, AAM,  |13.x  |13.0.0 -  |None      |          |      |          |
|AFM, Analytics,    |      |13.1.0    |          |          |      |          |
|APM, ASM, DNS, Edge|------+----------+----------|          |      |F5        |
|Gateway, FPS, GTM, |12.x  |12.1.0 -  |None      |Medium    |5.6   |hardware  |
|Link Controller,   |      |12.1.3    |          |          |      |platforms*|
|PEM,               |------+----------+----------|          |      |          |
|WebAccelerator)    |11.x  |11.2.1 -  |None      |          |      |          |
|                   |      |11.6.3    |          |          |      |          |
|ARX                |6.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
|                   |      |          |          |          |      |F5        |
|Enterprise Manager |3.x   |3.1.1     |None      |Medium    |4.3   |hardware  |
|                   |      |          |          |          |      |platforms*|
|                   |6.x   |6.0.0     |None      |          |      |          |
|                   |------+----------+----------|          |      |F5        |
|BIG-IQ Centralized |5.x   |5.0.0 -   |None      |Medium    |4.3   |hardware  |
|Management         |      |5.4.0     |          |          |      |platforms*|
|                   |------+----------+----------|          |      |          |
|                   |4.x   |4.6.0     |None      |          |      |          |
|BIG-IQ Cloud and   |      |          |          |          |      |F5        |
|Orchestration      |1.x   |1.0.0     |None      |Medium    |4.3   |hardware  |
|                   |      |          |          |          |      |platforms*|
|                   |      |2.1.0 -   |          |          |      |F5        |
|F5 iWorkflow       |2.x   |2.3.0     |None      |Medium    |4.3   |hardware  |
|                   |      |          |          |          |      |platforms*|
|                   |5.x   |5.0.0 -   |None      |          |      |F5        |
|Traffix SDC        |      |5.1.0     |          |Medium    |5.6   |hardware  |
|                   |------+----------+----------|          |      |platforms*|
|                   |4.x   |4.4.0     |None      |          |      |          |

* For information about the affected hardware platforms, refer to the
Vulnerable platforms section.

Vulnerable platforms

Some platforms may have processors from multiple vendors and may have a
vulnerable ARM processor in one or more subsystems. F5 has investigated our use
of ARM processors, and while vulnerable processors are used, no privileged
information is handled by those processors and they are limited to running
signed firmware from F5, with no capability to execute user-specified code.

The following table lists only one entry for platform models that have several
variants. For example, BIG-IP 11000, BIG-IP 11050, BIG-IP 11050F, and BIG-IP
11050N are all vulnerable and included in the table as "BIG-IP 110x0." 

|Product           |Model     |Processor types|Vulnerable|
|BIG-IP            |B21x0     |Intel          |Y         |
|BIG-IP            |B2250     |Intel          |Y         |
|BIG-IP            |B4100     |AMD            |Y*        |
|BIG-IP            |B4200     |AMD            |Y*        |
|BIG-IP            |B43x0     |Intel          |Y         |
|BIG-IP            |B44x0     |Intel          |Y         |
|BIG-IP            |2xx0      |Intel          |Y         |
|BIG-IP            |4xx0      |Intel          |Y         |
|BIG-IP            |5xx0      |Intel          |Y         |
|BIG-IP            |7xx0      |Intel          |Y         |
|BIG-IP            |10xxx     |Intel          |Y         |
|BIG-IP            |12xx0     |Intel          |Y         |
|BIG-IP            |i2x00     |Intel, ARM     |Y         |
|BIG-IP            |i4x00     |Intel, ARM     |Y         |
|BIG-IP            |i5x00     |Intel, ARM     |Y         |
|BIG-IP            |i7x00     |Intel, ARM     |Y         |
|BIG-IP            |i10x00    |Intel, ARM     |Y         |
|BIG-IP            |800       |Intel          |Y         |
|BIG-IP            |1600      |Intel          |Y         |
|BIG-IP            |3600      |Intel          |Y         |
|BIG-IP            |3900      |Intel          |Y         |
|BIG-IP            |6900      |AMD            |Y*        |
|BIG-IP            |89x0      |AMD            |Y*        |
|BIG-IP            |110x0     |AMD            |Y*        |
|BIG-IP            |6400      |AMD            |Y*        |
|BIG-IQ            |7000      |Intel          |Y         |
|Enterprise Manager|4000      |Intel          |Y         |
|FirePass          |FP12xx    |Intel          |N         |
|FirePass          |FP41xx    |AMD            |Y**       |
|FirePass          |FP43xx    |AMD            |Y**       |
|ARX               |1500+     |Intel          |Y         |
|ARX               |2500      |Intel          |Y         |
|ARX               |4000/4000+|Intel          |Y         |

* F5 has reason to believe these platforms are vulnerable, but AMD has yet to
confirm. AMD has not published plans to provide fixes for these CPUs.

** Intel and AMD have not responded to repeated requests for information
relating to the processors in these platforms. Therefore, based on their
general public statements, we must assume that they are vulnerable.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.



- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins