Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2707.4 K57211290: IPv6 fragmentation vulnerability CVE-2016-10142 13 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-10142 Reference: ESB-2017.0960 ESB-2017.0757 Original Bulletin: https://support.f5.com/csp/article/K57211290 Revision History: March 13 2019: Updated product table March 1 2019: Updated security advisory status table February 27 2019: Updated security advisory status table October 26 2017: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K57211290:IPv6 fragmentation vulnerability CVE-2016-10142 Security Advisory Original Publication Date: 13 Jul, 2017 Latest Publication Date: 13 Mar, 2019 Security Advisory Description An issue was discovered in the IPv6 protocol specification, related to ICMP Packet Too Big (PTB) messages. (The scope of this CVE is all affected IPv6 implementations from all vendors.) The security implications of IP fragmentation have been discussed at length in [RFC6274] and [RFC7739]. An attacker can leverage the generation of IPv6 atomic fragments to trigger the use of fragmentation in an arbitrary IPv6 flow (in scenarios in which actual fragmentation of packets is not needed) and can subsequently perform any type of fragmentation-based attack against legacy IPv6 nodes that do not implement [RFC6946]. That is, employing fragmentation where not actually needed allows for fragmentation-based attack vectors to be employed, unnecessarily. We note that, unfortunately, even nodes that already implement [RFC6946] can be subject to DoS attacks as a result of the generation of IPv6 atomic fragments. Let us assume that Host A is communicating with Host B and that, as a result of the widespread dropping of IPv6 packets that contain extension headers (including fragmentation) [RFC7872], some intermediate node filters fragments between Host B and Host A. If an attacker sends a forged ICMPv6 PTB error message to Host B, reporting an MTU smaller than 1280, this will trigger the generation of IPv6 atomic fragments from that moment on (as required by [RFC2460]). When Host B starts sending IPv6 atomic fragments (in response to the received ICMPv6 PTB error message), these packets will be dropped, since we previously noted that IPv6 packets with extension headers were being dropped between Host B and Host A. Thus, this situation will result in a DoS scenario. Another possible scenario is that in which two BGP peers are employing IPv6 transport and they implement Access Control Lists (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If the aforementioned BGP peers drop IPv6 fragments but still honor received ICMPv6 PTB error messages, an attacker could easily attack the corresponding peering session by simply sending an ICMPv6 PTB message with a reported MTU smaller than 1280 bytes. Once the attack packet has been sent, the aforementioned routers will themselves be the ones dropping their own traffic. (CVE-2016-10142) Impact A remote attacker may be able to cause a denial of service (DoS) by sending crafted IPv6 packets. Security Advisory Status F5 Product Development has assigned IDs 652516 (BIG-IP - control plane) and 671813 (BIG-IP - data plane), ID 669855 (BIG-IQ), ID 673039 (F5 iWorkflow), and ID 669854 (Enterprise Manager) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H57211290-1 and H57211290-2 on the Diagnostics > Identified > High page. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. +--------------+------------+--------------+----------+-----------------------+ | |Versions |Versions known| |Vulnerable component or| |Product |known to be |to be not |Severity |feature | | |vulnerable |vulnerable | | | +--------------+------------+--------------+----------+-----------------------+ | |12.0.0 - |13.0.0 - | | | | |12.1.2 |13.1.1 | | | | |11.6.0 - |12.1.3 - | |Linux kernel - Control | | |11.6.1 |12.1.4 |High |Plane (Management IPv6 | | |11.4.1 - |11.6.2 - | |addresses) | | |11.5.4 |11.6.3 | | | | |11.2.1 |11.5.5 - | | | |BIG-IP LTM | |11.5.8 | | | | +------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | | |13.1.1 | | | | |11.4.1 - |12.0.0 - | |Linux kernel - Data | | |11.5.8 |12.1.4 |High |Plane (TMM IPv6 | | |11.2.1 |11.6.0 - | |addresses) | | | |11.6.3 | | | | | |11.5.9 | | | +--------------+------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | |12.0.0 - |13.1.1 | | | | |12.1.2 |12.1.3 - | |Linux kernel - Control | | |11.6.0 - |12.1.4 |High |Plane (Management IPv6 | | |11.6.1 |11.6.2 - | |addresses) | | |11.4.1 - |11.6.3 | | | | |11.5.4 |11.5.5 - | | | |BIG-IP AAM | |11.5.8 | | | | +------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | | |13.1.1 | | | | |11.4.1 - |12.0.0 - | |Linux kernel - Data | | |11.5.8 |12.1.4 |High |Plane (TMM IPv6 | | | |11.6.0 - | |addresses) | | | |11.6.3 | | | | | |11.5.9 | | | +--------------+------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | |12.0.0 - |13.1.1 | | | | |12.1.2 |12.1.3 - | |Linux kernel - Control | | |11.6.0 - |12.1.4 |High |Plane (Management IPv6 | | |11.6.1 |11.6.2 - | |addresses) | | |11.4.1 - |11.6.3 | | | | |11.5.4 |11.5.5 - | | | |BIG-IP AFM | |11.5.8 | | | | +------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | | |13.1.0 | | | | |11.4.1 - |12.0.0 - | |Linux kernel - Data | | |11.5.8 |12.1.3 |High |Plane (TMM IPv6 | | | |11.6.0 - | |addresses) | | | |11.6.3 | | | | | |11.5.9 | | | +--------------+------------+--------------+----------+-----------------------+ | |12.0.0 - |13.0.0 - | | | | |12.1.2 |13.1.1 | | | | |11.6.0 - |12.1.3 - | |Linux kernel - Control | | |11.6.1 |12.1.4 |High |Plane (Management IPv6 | | |11.4.1 - |11.6.2 - | |addresses) | | |11.5.4 |11.6.3 | | | | |11.2.1 |11.5.5 - | | | |BIG-IP | |11.5.8 | | | |Analytics +------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | | |13.1.0 | | | | |11.4.1 - |12.0.0 - | |Linux kernel - Data | | |11.5.8 |12.1.3 |High |Plane (TMM IPv6 | | |11.2.1 |11.6.0 - | |addresses) | | | |11.6.3 | | | | | |11.5.9 | | | +--------------+------------+--------------+----------+-----------------------+ | |12.0.0 - |13.0.0 - | | | | |12.1.2 |13.1.1 | | | | |11.6.0 - |12.1.3 - | |Linux kernel - Control | | |11.6.1 |12.1.4 |High |Plane (Management IPv6 | | |11.4.1 - |11.6.2 - | |addresses) | | |11.5.4 |11.6.3 | | | | |11.2.1 |11.5.5 - | | | |BIG-IP APM | |11.5.8 | | | | +------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | | |13.1.0 | | | | |11.4.1 - |12.0.0 - | |Linux kernel - Data | | |11.5.8 |12.1.3 |High |Plane (TMM IPv6 | | |11.2.1 |11.6.0 - | |addresses) | | | |11.6.3 | | | | | |11.5.9 | | | +--------------+------------+--------------+----------+-----------------------+ | |12.0.0 - |13.0.0 - | | | | |12.1.2 |13.1.1 | | | | |11.6.0 - |12.1.3 - | |Linux kernel - Control | |BIG-IP ASM |11.6.1 |12.1.4 |High |Plane (Management IPv6 | | |11.4.1 - |11.6.2 - | |addresses) | | |11.5.4 |11.6.3 | | | | |11.2.1 |11.5.5 - | | | | | |11.5.8 | | | +--------------+------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | | |13.1.0 | | | | |11.4.1 - |12.0.0 - | |Linux kernel - Data | | |11.5.8 |12.1.3 |High |Plane (TMM IPv6 | | |11.2.1 |11.6.0 - | |addresses) | | | |11.6.3 | | | | | |11.5.9 | | | +--------------+------------+--------------+----------+-----------------------+ | | |13.0.0 - | |Linux kernel - Control | | |12.0.0 - |13.1.1 |High |Plane (Management IPv6 | | |12.1.2 |12.1.3 - | |addresses) | | | |12.1.4 | | | |BIG-IP DNS +------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | |None |13.1.1 |Not |None | | | |12.0.0 - |vulnerable| | | | |12.1.4 | | | +--------------+------------+--------------+----------+-----------------------+ | | | | |Linux kernel - Control | | |11.2.1 |None |High |Plane (Management IPv6 | |BIG-IP Edge | | | |addresses) | |Gateway +------------+--------------+----------+-----------------------+ | | | | |Linux kernel - Data | | |11.2.1 |None |High |Plane (TMM IPv6 | | | | | |addresses) | +--------------+------------+--------------+----------+-----------------------+ | |11.6.0 - |11.6.2 - | | | | |11.6.1 |11.6.3 | |Linux kernel - Control | | |11.4.1 - |11.5.5 - |High |Plane (Management IPv6 | | |11.5.4 |11.5.8 | |addresses) | |BIG-IP GTM |11.2.1 | | | | | +------------+--------------+----------+-----------------------+ | |11.4.1 - |11.6.0 - | |Linux kernel - Data | | |11.5.8 |11.6.3 |High |Plane (TMM IPv6 | | |11.2.1 |11.5.9 | |addresses) | +--------------+------------+--------------+----------+-----------------------+ | |12.0.0 - |13.0.0 - | | | | |12.1.2 |13.1.1 | | | | |11.6.0 - |12.1.3 - | |Linux kernel - Control | | |11.6.1 |12.1.4 |High |Plane (Management IPv6 | | |11.4.1 - |11.6.2 - | |addresses) | | |11.5.4 |11.6.3 | | | | |11.2.1 |11.5.5 - | | | |BIG-IP Link | |11.5.8 | | | |Controller +------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | | |13.1.1 | | | | |11.4.1 - |12.0.0 - | |Linux kernel - Data | | |11.5.8 |12.1.4 |High |Plane (TMM IPv6 | | |11.2.1 |11.6.0 - | |addresses) | | | |11.6.3 | | | | | |11.5.9 | | | +--------------+------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | |12.0.0 - |13.1.1 | | | | |12.1.2 |12.1.3 - | |Linux kernel - Control | | |11.6.0 - |12.1.4 |High |Plane (Management IPv6 | | |11.6.1 |11.6.2 - | |addresses) | | |11.4.0 - |11.6.3 | | | | |11.5.4 |11.5.5 - | | | |BIG-IP PEM | |11.5.8 | | | | +------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | | |13.1.1 | | | | |11.4.1 - |12.0.0 - | |Linux kernel - Data | | |11.5.8 |12.1.4 |High |Plane (TMM IPv6 | | | |11.6.0 - | |addresses) | | | |11.6.3 | | | | | |11.5.9 | | | +--------------+------------+--------------+----------+-----------------------+ | | | | |Linux kernel - Control | | |11.4.1 |None |High |Plane (Management IPv6 | | | | | |addresses) | |BIG-IP PSM +------------+--------------+----------+-----------------------+ | | | | |Linux kernel - Data | | |11.4.1 |None |High |Plane (TMM IPv6 | | | | | |addresses) | +--------------+------------+--------------+----------+-----------------------+ | | | | |Linux kernel - Control | | |11.2.1 |None |High |Plane (Management IPv6 | |BIG-IP | | | |addresses) | |WebAccelerator+------------+--------------+----------+-----------------------+ | | | | |Linux kernel - Data | | |11.2.1 |None |High |Plane (TMM IPv6 | | | | | |addresses) | +--------------+------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | |12.0.0 - |13.1.1 | |Linux kernel - Control | | |12.1.2 |12.1.3 - |High |Plane (Management IPv6 | | |11.6.0 - |12.1.4 | |addresses) | | |11.6.1 |11.6.2 - | | | | | |11.6.3 | | | |BIG-IP WebSafe+------------+--------------+----------+-----------------------+ | | |13.0.0 - | | | | | |13.1.1 | | | | |None |12.0.0 - |Not |None | | | |12.1.4 |vulnerable| | | | |11.6.0 - | | | | | |11.6.3 | | | +--------------+------------+--------------+----------+-----------------------+ |ARX |None |6.4.0 |Not |None | | | | |vulnerable| | +--------------+------------+--------------+----------+-----------------------+ |Enterprise | | | |Linux kernel - | |Manager |3.1.1 |None |High |Management IPv6 | | | | | |addresses | +--------------+------------+--------------+----------+-----------------------+ | |4.4.0 - | | |Linux kernel - | |BIG-IQ Cloud |4.5.0 |None |High |Management IPv6 | | | | | |addresses | +--------------+------------+--------------+----------+-----------------------+ | |4.4.0 - | | |Linux kernel - | |BIG-IQ Device |4.5.0 |None |High |Management IPv6 | | | | | |addresses | +--------------+------------+--------------+----------+-----------------------+ |BIG-IQ |4.4.0 - | | |Linux kernel - | |Security |4.5.0 |None |High |Management IPv6 | | | | | |addresses | +--------------+------------+--------------+----------+-----------------------+ | | | | |Linux kernel - | |BIG-IQ ADC |4.5.0 |None |High |Management IPv6 | | | | | |addresses | +--------------+------------+--------------+----------+-----------------------+ | |6.0.0 - | | | | |BIG-IQ |6.1.0 | | |Linux kernel - | |Centralized |5.0.0 - |None |High |Management IPv6 | |Management |5.4.0 | | |addresses | | |4.6.0 | | | | +--------------+------------+--------------+----------+-----------------------+ |BIG-IQ Cloud | | | |Linux kernel - | |and |1.0.0 |None |High |Management IPv6 | |Orchestration | | | |addresses | +--------------+------------+--------------+----------+-----------------------+ | |2.0.0 - | | |Linux kernel - | |F5 iWorkflow |2.3.0 |None |High |Management IPv6 | | | | | |addresses | +--------------+------------+--------------+----------+-----------------------+ |LineRate |None |2.5.0 - 2.6.2 |Not |None | | | | |vulnerable| | +--------------+------------+--------------+----------+-----------------------+ |Traffix SDC |5.0.0 |5.1.0 |Medium |Linux kernel | | |4.4.0 | | | | +--------------+------------+--------------+----------+-----------------------+ Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. To determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems . Mitigation None Supplemental Information o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K167: Downloading software and firmware from F5 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXIin8GaOgq3Tt24GAQiTpw//eo4av2licRGyfptKlfffpZxGHwl56o6S n0xbEFcVY1W/V2gE8gSuDfD8EDlpxG3QQ/LS8yOHEmOdBUjt7rGxnKrRqNcrBoR4 mWx5ft55izaAiGi1aH/dl6WE+vwO1t4tvrqKb7W9Q2V0YOor11x8QEIHlJLWO1er t6msC0YppzUw/k0AYPxxtATd33qtkiUFb5CRPfKnHjoXyzy+1l+dbEKbsbIdcW5P YpZYU5EqX9/f+KARnF9RG0ASJ/HHjfrOXHOKFPEJHyu2tgcxUUiZ6UG6crD/b0a5 nxuKkuMUtue6a3k83soVslqUFWdH5lNu/IT6z9RA8Pns4zNepFdQHv1C4BEGcOTf RmrSes/2W6uBs0X9n1zA4ab9r0NKVzWhrMbWLVSFuvVBieekVh2KJn2M1ySzPSnf K4SWYo5AXlTvLmAF3mxRswUydsBhTK9NN5NKq04e7lsZ9ZX62zcLzs7hIfwbnajj mssh0OZOMCZ8BHFsYHfRReKB1CEMRmuShmVcG+7RvEEPxf5o9tt+Il0e0Ujgjxjx 947qmAvkjwQZfqqGFO+OKQeh3Jpqf7dq/w6HiFjUNFSXje/D1OYeQgiXnrsItYOH +oW4t2ZNh44dAwTq0540Z85ElSG83RYEu9q/SpJmxdvIK+pZE+OCZSVaI8DqrRfL Yop+1OcOJNk= =q0mR -----END PGP SIGNATURE-----