ESB-2018.3180.2 - UPDATE [Appliance] F5 BIG-IP products: Access privileged data - Existing account 2018-11-02

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.3180.2
             Lazy FP state restore vulnerability CVE-2018-3665
                              2 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-3665  

Reference:         ESB-2018.2534
                   ESB-2018.2340
                   ESB-2018.2056
                   ESB-2018.2007
                   ESB-2018.1945
                   ESB-2018.1923
                   ESB-2018.1921

Original Bulletin: 
   https://support.f5.com/csp/article/K21344224

Revision History:  November  2 2018: Additional fixes introduced for BIG-IP 
                                     products
                   October  19 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K21344224: Lazy FP state restore vulnerability CVE-2018-3665

Security Advisory

Original Publication Date: Jun 22, 2018
Updated Date: Nov 02, 2018

Security Advisory Description

System software utilizing Lazy FP state restore technique on systems using
Intel Core-based microprocessors may potentially allow a local process to infer
data from another process through a speculative execution side channel. (
CVE-2018-3665)

A Floating-Point (FP) state information leakage flaw was found in the way the
Linux kernel saves and restores the FP state during task switch. Linux kernels
that follow the "Lazy FP Restore" scheme are vulnerable to the FP state
information leakage issue. An unprivileged, local attacker can use this flaw to
read FP state bits by conducting targeted cache side-channel attacks, similar
to the Meltdown vulnerability disclosed earlier this year.

Impact

This vulnerability requires an attacker to induce speculative execution of code
to acquire privileged information, then leak that information via a
micro-architectural side-channel. Intel Core processors are affected. AMD
processors are not affected.

F5 is investigating the impact of this vulnerability on our products. F5 is
focused on providing patched releases as soon as we have fully tested and
verified fixes. F5 will update this article with the most current information
as soon as it is confirmed.

BIG-IP

This vulnerability requires an attacker who can provide and run binary code of
their choosing on the BIG-IP platform. This raises a high bar for attackers
attempting to target BIG-IP systems over a network and would require an
additional, un-patched, user-space remote code execution vulnerability to
exploit these new issues.

The only administrative roles on a BIG-IP system that can execute binary code
or exploitable analogs, such as JavaScript, are the Administrator, Resource
Administrator, Manager, and iRules Manager roles. The Administrator and
Resource Administrator roles already have nearly complete access to the system
and all secrets on the system that are not protected by hardware-based
encryption. The Manager and iRules Manager roles have access restrictions, but
they can install new iRulesLX code. A malicious authorized Manager or iRules
Manager can install malicious binary code to exploit these information leaks
and gain more privileged access. F5 recommends limiting these roles to trusted
employees.

To determine the processor type used by each platform and if the platform is
affected by this vulnerability, refer to the following table.

Note: In the following table, only one entry is shown for platform models that
may have several variants. For example, BIG-IP 11000, BIG-IP 11050, BIG-IP
11050F, and BIG-IP 11050N are all included in the table as "BIG-IP 110x0". Some
platforms may have multiple vendor processors, such as the iSeries platforms,
which have one or more Intel Core processors and may have a vulnerable ARM
processor in one or more subsystems. F5 does not believe that ARM processors in
these subsystems are accessible to attackers, unless some other code-execution
vulnerability is present, but the information is being provided out of an
abundance of caution.

+-------------+--------------+------------------------------------------------+
|Model        |Processor type|Vulnerable to CVE-2018-3665 Lazy FP state       |
|             |              |restore                                         |
+-------------+--------------+------------------------------------------------+
|VIPRION B21x0|Intel         |N*                                              |
+-------------+--------------+------------------------------------------------+
|VIPRION B2250|Intel         |N*                                              |
+-------------+--------------+------------------------------------------------+
|VIPRION B4100|AMD           |N                                               |
+-------------+--------------+------------------------------------------------+
|VIPRION B4200|AMD           |N                                               |
+-------------+--------------+------------------------------------------------+
|VIPRION B43x0|Intel         |N*                                              |
+-------------+--------------+------------------------------------------------+
|VIPRION B44x0|Intel         |N*                                              |
+-------------+--------------+------------------------------------------------+
|BIG-IP 2xx0  |Intel         |Y                                               |
+-------------+--------------+------------------------------------------------+
|BIG-IP 4xx0  |Intel         |N*                                              |
+-------------+--------------+------------------------------------------------+
|BIG-IP 5xx0  |Intel         |N*                                              |
+-------------+--------------+------------------------------------------------+
|BIG-IP 7xx0  |Intel         |N*                                              |
+-------------+--------------+------------------------------------------------+
|BIG-IP 10xx0 |Intel         |N*                                              |
+-------------+--------------+------------------------------------------------+
|BIG-IP 110x0 |AMD           |N                                               |
+-------------+--------------+------------------------------------------------+
|BIG-IP 12xx0 |Intel         |N*                                              |
+-------------+--------------+------------------------------------------------+
|BIG-IP i2x00 |Intel, ARM    |N*                                              |
+-------------+--------------+------------------------------------------------+
|BIG-IP i4x00 |Intel, ARM    |N*                                              |
+-------------+--------------+------------------------------------------------+
|BIG-IP i5x00 |Intel, ARM    |N*                                              |
+-------------+--------------+------------------------------------------------+
|BIG-IP i7x00 |Intel, ARM    |N*                                              |
+-------------+--------------+------------------------------------------------+
|BIG-IP i10x00|Intel, ARM    |N*                                              |
+-------------+--------------+------------------------------------------------+
|BIG-IP 800   |Intel         |Y                                               |
+-------------+--------------+------------------------------------------------+
|BIG-IP 1600  |Intel         |Y                                               |
+-------------+--------------+------------------------------------------------+
|BIG-IP 3600  |Intel         |Y                                               |
+-------------+--------------+------------------------------------------------+
|BIG-IP 3900  |Intel         |N*                                              |
+-------------+--------------+------------------------------------------------+
|BIG-IP 6400  |AMD           |N                                               |
+-------------+--------------+------------------------------------------------+
|BIG-IP 6900  |AMD           |N                                               |
+-------------+--------------+------------------------------------------------+
|BIG-IP 89x0  |AMD           |N                                               |
+-------------+--------------+------------------------------------------------+

*Intel Xeon based processors are not vulnerable to this issue.

Note: Platform models that have reached End of Technical Support (EoTS) will
not be evaluated. For more information, refer to K4309: F5 platform lifecycle
support policy.

BIG-IQ and Enterprise Manager

To determine the processor type used by each platform and if the platform is
affected by this vulnerability, refer to the following table.

+--------------------+------------+-------------------------------------------+
|Model               |Processor   |Vulnerable to CVE-2018-3665 Lazy FP state  |
|                    |type        |restore                                    |
+--------------------+------------+-------------------------------------------+
|BIG-IQ 7000         |Intel       |Y                                          |
+--------------------+------------+-------------------------------------------+
|Enterprise Manager  |Intel       |Y                                          |
|4000                |            |                                           |
+--------------------+------------+-------------------------------------------+

Note: Platform models that have reached EoTS will not be evaluated. For more
information, refer to K4309: F5 platform lifecycle support policy.

ARX

To determine the processor type used by each platform and if the platform is
affected by this vulnerability, refer to the following table.

+-------------+-------------+------------------------------------------------+
|Model        |Processor    |Vulnerable to CVE-2018-3665 Lazy FP state       |
|             |type         |restore                                         |
+-------------+-------------+------------------------------------------------+
|ARX 1500+    |Intel        |Y*                                              |
+-------------+-------------+------------------------------------------------+
|ARX 2500     |Intel        |Y*                                              |
+-------------+-------------+------------------------------------------------+
|ARX 4000/    |Intel        |Y*                                              |
|4000+        |             |                                                |
+-------------+-------------+------------------------------------------------+

*The specified platforms contain the affected processor. However, F5 identifies
the ARX software vulnerability status as Not vulnerable because the attacker
cannot exploit the code in default, standard, or recommended configurations.

Note: Platform models that have reached EoTS will not be evaluated. For more
information, refer to K4309: F5 platform lifecycle support policy.

Traffix SDC

Systems with microprocessors that use speculative execution and indirect branch
prediction may allow unauthorized disclosure of information to an attacker with
local user access by way of a side-channel analysis.

LineRate

Systems with microprocessors that use speculative execution and indirect branch
prediction may allow unauthorized disclosure of information to an attacker with
local user access by way of a side-channel analysis.

For products with None in the Versions known to be vulnerable column in the
following table, there is no impact.

Security Advisory Status

F5 Product Development has assigned ID 725635 (BIG-IP), ID 725911 (Enterprise
Manager), ID 725912 (BIG-IQ/iWorkflow), ID LRS-65861 (LineRate), and IDs
CPF-24908 and CPF-24909 (Traffix SDC) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases or hotfixes that
address the vulnerability, refer to the following table. For more information
about security advisory versioning, refer to K51812227: Understanding Security
Advisory versioning.

+------------------+------+----------+----------+-----------+------+----------+
|                  |      |Versions  |Fixes     |           |CVSSv3|Vulnerable|
|Product           |Branch|known to  |introduced|Severity   |score^|component |
|                  |      |be        |in        |           |1     |or feature|
|                  |      |vulnerable|          |           |      |          |
+------------------+------+----------+----------+-----------+------+----------+
|                  |14.x  |14.0.0    |14.0.0.3  |           |      |          |
|BIG-IP (LTM, AAM, +------+----------+----------+           |      |          |
|AFM, Analytics,   |13.x  |13.0.0 -  |13.1.1.2  |           |      |          |
|APM, ASM, DNS,    |      |13.1.1    |          |           |      |          |
|Edge Gateway, FPS,+------+----------+----------+Medium     |5.6   |CPU       |
|GTM, Link         |12.x  |12.1.0 -  |None      |           |      |          |
|Controller, PEM,  |      |12.1.3    |          |           |      |          |
|WebAccelerator)   +------+----------+----------+           |      |          |
|                  |11.x  |11.2.1 -  |None      |           |      |          |
|                  |      |11.6.3    |          |           |      |          |
+------------------+------+----------+----------+-----------+------+----------+
|                  |      |          |Not       |Not        |      |          |
|ARX               |6.x   |None      |applicable|vulnerable^|None  |None      |
|                  |      |          |          |2          |      |          |
+------------------+------+----------+----------+-----------+------+----------+
|Enterprise Manager|3.x   |3.1.1     |None      |Medium     |5.6   |CPU       |
+------------------+------+----------+----------+-----------+------+----------+
|                  |6.x   |6.0.0     |None      |           |      |          |
|                  +------+----------+----------+           |      |          |
|BIG-IQ Centralized|5.x   |5.0.0 -   |None      |Medium     |5.6   |CPU       |
|Management        |      |5.4.0     |          |           |      |          |
|                  +------+----------+----------+           |      |          |
|                  |4.x   |4.6.0     |None      |           |      |          |
+------------------+------+----------+----------+-----------+------+----------+
|BIG-IQ Cloud and  |1.x   |1.0.0     |None      |Medium     |5.6   |CPU       |
|Orchestration     |      |          |          |           |      |          |
+------------------+------+----------+----------+-----------+------+----------+
|F5 iWorkflow      |2.x   |2.1.0 -   |None      |Medium     |5.6   |CPU       |
|                  |      |2.3.0     |          |           |      |          |
+------------------+------+----------+----------+-----------+------+----------+
|                  |      |          |          |           |      |Linux     |
|                  |      |2.6.0 -   |          |           |      |kernel on |
|LineRate          |2.x   |2.6.2     |None      |Medium     |4.3   |systems   |
|                  |      |          |          |           |      |with an   |
|                  |      |          |          |           |      |Intel CPU |
+------------------+------+----------+----------+-----------+------+----------+
|                  |      |5.0.0 -   |          |           |      |Linux     |
|                  |5.x   |5.1.0     |None      |           |      |kernel on |
|Traffix SDC       |      |          |          |Medium     |5.6   |systems   |
|                  +------+----------+----------+           |      |with an   |
|                  |4.x   |4.4.0     |None      |           |      |Intel CPU |
|                  |      |          |          |           |      |          |
+------------------+------+----------+----------+-----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

^2The specified products contain the affected code. However, F5 identifies the
vulnerability status as Not vulnerable because the attacker cannot exploit the
code in default, standard, or recommended configurations.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
 column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

There is no mitigation. Ensure that you restrict system access to trusted
users.

Supplemental Information

  o Lazy FP state restore INTEL-SA-00145

    Note: This link takes you to a resource outside of AskF5. The third party
    could remove the document without our knowledge.

  o K41942608: Overview of AskF5 Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW9vWIGaOgq3Tt24GAQideQ/9Gr0MOWzxBFIuVwmZXB32lAf9t+ITA27n
1RH1wz4jE72a+/3srbeTF1V0rK+dYP/8tr64/PWgk/emYprzlx5cen7NPpT4tTBG
UI2x3JAbRb6/ATgfZ4Ydi+JQ3BqbLAdo5bkNLbE6j1eLslyN92DmkKoPOkZnLFar
Chzr8zJH3eHp22vsI87uceBafyW7XK1xOVxC9PolcGXYP+Q5Yihf+R+jrvdLIWgK
yoC1br3nSUFYPpsFgI5HeZxNOc0EKlOuT9YIw3g/+ap2mJM7u1yFg1QOgT+jFErX
cciTMzVot1IGaZ/Z/1WWG5YOKJ80DRTpRBMc/kN3qY3QF60WAoGyIQfOw0O8MNDh
aDT/YLLXC3eKHX43sM91xjSqvsuObStobEg7ILHg0SNcYLD27hM0DX5T5hG1HlON
ae8DQElApZeIepW4cs3OcFxlZbrlu2/dfDExJ2xGhy8VYfaw5bO6ktxiQuGlPb16
WedGfQ30PNYtP78YvfDuVCu54MXSp73U456QJzLYszFlcZqse6S2XVtChwzpWktc
SsoUW1156D0VmvHs72vodta9Lf3DAl/hfscJ8Wq6LrQYhXjLz6Ag5Bt9gPZFJN+s
jQIGcYPGzySjwd4aWxoupYKmb9/JyxTAIdKeaAO0IVU+eI29wX5gYaSm8N4mEFUu
+vhL/lY+vAs=
=F+D8
-----END PGP SIGNATURE-----

« Back to bulletins