Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.0025.4
K13167034: OpenSSL vulnerability CVE-2016-2183
28 February 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 BIG-IP Products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-2183
Reference: ASB-2017.0219
ASB-2017.0208
ASB-2017.0169
ESB-2016.2263
ESB-2016.2239.2
ESB-2016.2238
Original Bulletin:
https://support.f5.com/csp/article/K13167034
Revision History: February 28 2020: Additional versions known to be not vulnerable added
February 21 2020: Vendor updated matrix of vulnerable and fixed versions
August 14 2018: Updated security advisory status table.
January 2 2018: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
K13167034:OpenSSL vulnerability CVE-2016-2183
Security Advisory
Original Publication Date: 05 Oct, 2016
Latest Publication Date: 27 Feb, 2020
Security Advisory Description
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols
and other protocols and products, have a birthday bound of approximately four
billion blocks, which makes it easier for remote attackers to obtain cleartext
data via a birthday attack against a long-duration encrypted session, as
demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32"
attack. (CVE-2016-2183)
Important: This vulnerability is caused by functionality in the OpenSSL
software library. A viable mitigation is available in the mitigation section.
There will be no further updates to this article, unless new information is
discovered.
Impact
Remote attackers may be able to obtain cleartext data using a birthday attack
against long-duration encrypted sessions.
Security Advisory Status
F5 Product Development has assigned IDs 615267, 615271, 615270, 615269, 615268,
and 615274 (BIG-IP), ID 410742 (ARX), ID 616861 (BIG-IQ and F5 iWorkflow), ID
616862 (Enterprise Manager), ID 528809 (FirePass), and LRS-60936 (LineRate) to
this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H13167034,
H13167034-1, H13167034-2, and H13167034-3 on the Diagnostics > Identified >
Medium page.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases, point releases, or hotfixes that address the vulnerability, refer to
the following table.
+----------------+---------------+-----------------+----------+---------------+
| |Versions known |Versions known to| |Vulnerable |
|Product |to be |be not vulnerable|Severity |component or |
| |vulnerable | | |feature |
+----------------+---------------+-----------------+----------+---------------+
| | | | | |
| | |15.0.0 - 15.1.0 | | |
| |13.0.0 |14.0.0 - 14.1.2 | | |
| |12.0.0 - 12.1.2|13.0.0 HF1 - |Medium |SSL profiles |
| |11.2.1 - 11.6.5|13.1.3 | |(client/server)|
| |10.2.1 - 10.2.4|12.1.2 HF1 - | | |
| | |12.1.5 | | |
| | | | | |
| +---------------+-----------------+----------+---------------+
| |15.0.0 - 15.1.0| | | |
| |14.0.0 - 14.1.2| | | |
| |13.0.0 - 13.1.3|None |Medium |IPSec |
| |12.0.0 - 12.1.5| | | |
| |11.2.1 - 11.6.5| | | |
| +---------------+-----------------+----------+---------------+
|BIG-IP LTM |15.0.0 - 15.1.0| | | |
| |14.0.0 - 14.1.2| | | |
| |13.0.0 - 13.1.3|None |Medium |tamd |
| |12.0.0 - 12.1.5| | | |
| |11.2.1 - 11.6.5| | | |
| |10.2.4 | | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.1.3| | | |
| |12.0.0 - 12.1.5|15.0.0 - 15.1.0 |Medium |Apache mod_ssl |
| |11.2.1 - 11.6.5|14.0.0 - 14.1.2 | | |
| |10.2.4 | | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | |
| |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d |
| |11.2.1 - 11.6.5|13.1.0 - 13.1.3 | | |
| |10.2.1 - 10.2.4| | | |
+----------------+---------------+-----------------+----------+---------------+
| | |15.0.0 - 15.1.0 | | |
| |13.0.0 |14.0.0 - 14.1.2 | | |
| |12.0.0 - 12.1.2|13.0.0 HF1 - |Medium |SSL profiles |
| |11.4.0 - 11.6.5|13.1.3 | |(client/server)|
| | |12.1.2 HF1 - | | |
| | |12.1.5 | | |
| +---------------+-----------------+----------+---------------+
| |15.0.0 - 15.1.0| | | |
| |14.0.0 - 14.1.2| | | |
|BIG-IP (AAM, |13.0.0 - 13.1.3|None |Medium |IPSec, tamd |
|PEM) |12.0.0 - 12.1.5| | | |
| |11.2.1 - 11.6.5| | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.1.3|15.0.0 - 15.1.0 | | |
| |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Apache mod_ssl |
| |11.4.0 - 11.6.5| | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | |
| |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d |
| |11.4.0 - 11.6.5|13.1.0 - 13.1.3 | | |
+----------------+---------------+-----------------+----------+---------------+
| | |15.0.0 - 15.1.0 | | |
| |12.1.0 - 12.1.3|14.0.0 - 14.1.2 |Medium |SSH Proxy |
| | |13.0.0 - 13.1.3 | | |
| | |12.1.3.4 - 12.1.5| | |
| +---------------+-----------------+----------+---------------+
| | |15.0.0 - 15.1.0 | | |
| |13.0.0 |14.0.0 - 14.1.2 | | |
| |12.0.0 - 12.1.2|13.0.0 HF1 - |Medium |SSL profiles |
| |11.4.0 - 11.6.5|13.1.3 | |(client/server)|
| | |12.1.2 HF1 - | | |
| | |12.1.5 | | |
| +---------------+-----------------+----------+---------------+
|BIG-IP AFM |15.0.0 - 15.1.0| | | |
| |14.0.0 - 14.1.2| | | |
| |13.0.0 - 13.1.3|None |Medium |IPSec, tamd |
| |12.0.0 - 12.1.5| | | |
| |11.4.0 - 11.6.5| | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.1.3|15.0.0 - 15.1.0 | | |
| |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Apache mod_ssl |
| |11.4.0 - 11.6.5| | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | |
| |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d |
| |11.4.0 - 11.6.5|13.1.0 - 13.1.3 | | |
+----------------+---------------+-----------------+----------+---------------+
| | |15.0.0 - 15.1.0 | | |
| |13.0.0 |14.0.0 - 14.1.2 | | |
| |12.0.0 - 12.1.2|13.0.0 HF1 - |Medium |SSL profiles |
| |11.2.1 - 11.6.5|13.1.3 | |(client/server)|
| | |12.1.2 HF1 - | | |
| | |12.1.5 | | |
| +---------------+-----------------+----------+---------------+
| |15.0.0 - 15.1.0| | | |
| |14.0.0 - 14.1.2| | | |
|BIG-IP Analytics|13.0.0 - 13.1.3|None |Medium |IPSec, tamd |
| |12.0.0 - 12.1.5| | | |
| |11.2.1 - 11.6.5| | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.1.3|15.0.0 - 15.1.0 | | |
| |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Apache mod_ssl |
| |11.2.1 - 11.6.5| | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | |
| |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d |
| |11.2.1 - 11.6.5|13.1.0 - 13.1.3 | | |
+----------------+---------------+-----------------+----------+---------------+
| |15.0.0 - 15.1.0| | | |
| |14.0.0 - 14.1.2| | | |
| |13.0.0 - 13.1.3|None |Medium |Oracle Access |
| |12.0.0 - 12.1.5| | |Manager, tamd |
| |11.2.1 - 11.6.5| | | |
| |10.2.1 - 10.2.4| | | |
| +---------------+-----------------+----------+---------------+
| | |15.0.0 - 15.1.0 | | |
| |13.0.0 |14.0.0 - 14.1.2 | | |
| |12.0.0 - 12.1.2|13.0.0 HF1 - |Medium |SSL profiles |
| |11.2.1 - 11.6.5|13.1.3 | |(client/server)|
| |10.2.1 - 10.2.4|12.1.2 HF1 - | | |
| | |12.1.5 | | |
| +---------------+-----------------+----------+---------------+
| |15.0.0 - 15.1.0| | | |
| |14.0.0 - 14.1.2| | | |
| |13.0.0 - 13.1.3|None |Medium |IPSec |
|BIG-IP APM |12.0.0 - 12.1.5| | | |
| |11.2.1 - 11.6.5| | | |
| +---------------+-----------------+----------+---------------+
| |15.0.0 - 15.1.0| | | |
| |14.0.0 - 14.1.2| | | |
| |13.0.0 - 13.1.3|None |Medium |tamd |
| |12.0.0 - 12.1.5| | | |
| |11.2.1 - 11.6.5| | | |
| |10.2.1 - 10.2.4| | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.1.3| | | |
| |12.0.0 - 12.1.5|15.0.0 - 15.1.0 |Medium |Apache mod_ssl |
| |11.2.1 - 11.6.5|14.0.0 - 14.1.2 | | |
| |10.2.1 - 10.2.4| | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | |
| |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d |
| |11.2.1 - 11.6.5|13.1.0 - 13.1.3 | | |
| |10.2.1 - 10.2.4| | | |
+----------------+---------------+-----------------+----------+---------------+
| | |15.0.0 - 15.1.0 | | |
| |13.0.0 |14.0.0 - 14.1.2 | | |
| |12.0.0 - 12.1.2|13.0.0 HF1 - |Medium |SSL profiles |
| |11.2.1 - 11.6.5|13.1.3 | |(client/server)|
| |10.2.1 - 10.2.4|12.1.2 HF1 - | | |
| | |12.1.5 | | |
| +---------------+-----------------+----------+---------------+
| |15.0.0 - 15.1.0| | | |
| |14.0.0 - 14.1.2| | | |
| |13.0.0 - 13.1.3|None |Medium |IPSec |
| |12.0.0 - 12.1.5| | | |
| |11.2.1 - 11.6.5| | | |
| +---------------+-----------------+----------+---------------+
| |15.0.0 - 15.1.0| | | |
|BIG-IP ASM |14.0.0 - 14.1.2| | | |
| |13.0.0 - 13.1.3|None |Medium |tamd |
| |12.0.0 - 12.1.5| | | |
| |11.2.1 - 11.6.5| | | |
| |10.2.1 - 10.2.4| | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.1.3| | | |
| |12.0.0 - 12.1.5|15.0.0 - 15.1.0 |Medium |Apache mod_ssl |
| |11.2.1 - 11.6.5|14.0.0 - 14.1.2 | | |
| |10.2.1 - 10.2.4| | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | |
| |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d |
| |11.2.1 - 11.6.5|13.1.0 - 13.1.3 | | |
| |10.2.1 - 10.2.4| | | |
+----------------+---------------+-----------------+----------+---------------+
| |15.0.0 - 15.1.0| | | |
| |14.0.0 - 14.1.2|None |Medium |tamd |
| |13.0.0 - 13.1.3| | | |
| |12.0.0 - 12.1.5| | | |
| +---------------+-----------------+----------+---------------+
|BIG-IP DNS |13.0.0 - 13.1.3|15.0.0 - 15.1.0 |Medium |Apache mod_ssl |
| |12.0.0 - 12.1.5|14.0.0 - 14.1.2 | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | |
| |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d |
| | |13.1.0 - 13.1.3 | | |
+----------------+---------------+-----------------+----------+---------------+
| |11.2.1 |None |Medium |SSL profiles |
| |10.2.1 - 10.2.4| | |(client/server)|
| +---------------+-----------------+----------+---------------+
| |11.2.1 |None |Medium |IPSec |
| +---------------+-----------------+----------+---------------+
|BIG-IP Edge |11.2.1 |None |Medium |tamd |
|Gateway |10.2.1 - 10.2.4| | | |
| +---------------+-----------------+----------+---------------+
| |11.2.1 |None |Medium |Apache mod_ssl |
| |10.2.1 - 10.2.4| | | |
| +---------------+-----------------+----------+---------------+
| |11.2.1 |None |Medium |Big3d |
| |10.2.1 - 10.2.4| | | |
+----------------+---------------+-----------------+----------+---------------+
| |11.4.0 - 11.6.5| | | |
| |11.2.1 |None |Medium |tamd |
| |10.2.1 - 10.2.4| | | |
| +---------------+-----------------+----------+---------------+
| |11.4.0 - 11.6.5| | | |
|BIG-IP GTM |11.2.1 |None |Medium |Apache mod_ssl |
| |10.2.1 - 10.2.4| | | |
| +---------------+-----------------+----------+---------------+
| |11.4.0 - 11.6.5| | | |
| |11.2.1 |None |Medium |Big3d |
| |10.2.1 - 10.2.4| | | |
+----------------+---------------+-----------------+----------+---------------+
| |15.0.0 - 15.1.0| | | |
| |14.0.0 - 14.1.2|None |Medium |IPSec |
| |13.0.0 - 13.1.3| | | |
| |11.2.1 - 11.6.5| | | |
| +---------------+-----------------+----------+---------------+
| |15.0.0 - 15.1.0| | | |
| |14.0.0 - 14.1.2| | | |
| |13.0.0 - 13.1.3|None |Medium |tamd |
| |11.2.1 - 11.6.5| | | |
|BIG-IP Link |10.2.1 - 10.2.4| | | |
|Controller +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.1.3| | | |
| |12.0.0 - 12.1.5|15.0.0 - 15.1.0 |Medium |Apache mod_ssl |
| |11.2.1 - 11.6.5|14.0.0 - 14.1.2 | | |
| |10.2.1 - 10.2.4| | | |
| +---------------+-----------------+----------+---------------+
| |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | |
| |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d |
| |11.2.1 - 11.6.5|13.1.0 - 13.1.3 | | |
| |10.2.1 - 10.2.4| | | |
+----------------+---------------+-----------------+----------+---------------+
| |11.4.0 - 11.4.1|None |Medium |SSL profiles |
| |10.2.1 - 10.2.4| | |(client/server)|
| +---------------+-----------------+----------+---------------+
| |11.4.0 - 11.4.1|None |Medium |IPSec |
| +---------------+-----------------+----------+---------------+
| |11.4.0 - 11.4.1|None |Medium |tamd |
|BIG-IP PSM |10.2.1 - 10.2.4| | | |
| +---------------+-----------------+----------+---------------+
| |11.4.0 - 11.4.1|None |Medium |Apache mod_ssl |
| |10.2.1 - 10.2.4| | | |
| +---------------+-----------------+----------+---------------+
| |11.4.0 - 11.4.1|None |Medium |Big3d |
| |10.2.1 - 10.2.4| | | |
+----------------+---------------+-----------------+----------+---------------+
| |11.2.1 - 11.3.0|None |Medium |SSL profiles |
| |10.2.1 - 10.2.4| | |(client/server)|
| +---------------+-----------------+----------+---------------+
| |11.2.1 - 11.3.0|None |Medium |IPSec |
| +---------------+-----------------+----------+---------------+
|BIG-IP |11.2.1 - 11.3.0|None |Medium |tamd |
|(WebAccelerator,|10.2.1 - 10.2.4| | | |
|WOM) +---------------+-----------------+----------+---------------+
| |11.2.1 - 11.3.0|None |Medium |Apache mod_ssl |
| |10.2.1 - 10.2.4| | | |
| +---------------+-----------------+----------+---------------+
| |11.2.1 - 11.3.0|None |Medium |Big3d |
| |10.2.1 - 10.2.4| | | |
+----------------+---------------+-----------------+----------+---------------+
| | |13.0.0 - 13.1.3 |Not | |
|BIG-IP WebSafe |None |12.0.0 - 12.1.5 |vulnerable|None |
| | |11.6.0 - 11.6.5 | | |
+----------------+---------------+-----------------+----------+---------------+
|ARX |6.2.0 - 6.4.0 |None |Low |OpenSSL |
+----------------+---------------+-----------------+----------+---------------+
|Enterprise | | | |Apache |
|Manager |3.1.1 |None |Medium |OpenSSH |
| | | | |Big3d |
+----------------+---------------+-----------------+----------+---------------+
|FirePass |7.0.0 |None |Low |OpenSSL |
+----------------+---------------+-----------------+----------+---------------+
| | | | |Webd |
|BIG-IQ Cloud |4.0.0 - 4.5.0 |None |Medium |OpenSSH |
| | | | |Big3d |
+----------------+---------------+-----------------+----------+---------------+
| | | | |Webd |
|BIG-IQ Device |4.2.0 - 4.5.0 |None |Medium |OpenSSH |
| | | | |Big3d |
+----------------+---------------+-----------------+----------+---------------+
| | | | |Webd |
|BIG-IQ Security |4.0.0 - 4.5.0 |None |Medium |OpenSSH |
| | | | |Big3d |
+----------------+---------------+-----------------+----------+---------------+
| | | | |Webd |
|BIG-IQ ADC |4.5.0 |None |Medium |OpenSSH |
| | | | |Big3d |
+----------------+---------------+-----------------+----------+---------------+
| |5.0.0 - 7.0.0.1|None |Medium |Webd |
| |4.6.0 | | | |
|BIG-IQ +---------------+-----------------+----------+---------------+
|Centralized |5.0.0 - 7.0.0.1|None |Medium |OpenSSH |
|Management |4.6.0 | | | |
| +---------------+-----------------+----------+---------------+
| |5.0.0 - 5.1.0 |5.2.0 - 5.4.0 |Medium |Big3d |
| |4.6.0 | | | |
+----------------+---------------+-----------------+----------+---------------+
|BIG-IQ Cloud and| | | |Webd |
|Orchestration |1.0.0 |None |Medium |OpenSSH |
| | | | |Big3d |
+----------------+---------------+-----------------+----------+---------------+
| | | | |Apache |
|F5 iWorkflow |2.0.0 - 2.3.0 |None |Medium |OpenSSH |
| | | | |Big3d |
+----------------+---------------+-----------------+----------+---------------+
|LineRate |2.5.0 - 2.6.1 |None |Low |SSL/TLS |
+----------------+---------------+-----------------+----------+---------------+
| | | | |OpenSSL |
| |5.1.0 |None |Low |Network |
| | | | |Security |
|Traffix SDC | | | |Services, NSS |
| +---------------+-----------------+----------+---------------+
| |5.0.0 |None |Low |OpenSSL |
| |4.0.0 - 4.4.0 | | | |
+----------------+---------------+-----------------+----------+---------------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.
To determine the necessary upgrade path for your BIG-IQ system, you should
understand the BIG-IQ product offering name changes. For more information,
refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems
.
Mitigation
The following mitigation options are available for the BIG-IP system:
SSL profiles
You can mitigate this issue for the SSL profiles by disabling 3DES (DES-CBC3)
ciphers for the affected profile. For information about configuring the cipher
strength for the SSL profiles, refer to K17370: Configuring the cipher strength
for SSL profiles (12.x - 13.x).
Important: The following mitigation will not work for BIG-IP 13.0.0 due to an
issue being tracked by F5 Product Development as ID 649369. For assistance
mitigating this issue for BIG-IP 13.0.0 please contact F5 Support and reference
this article and ID 649369.
You can disable 3DES in SSL profile ciphers by adding !3DES or -3DES to the
current cipher string in the Ciphers field.
Note: When you use the ! symbol preceding a cipher, the SSL profile permanently
removes the cipher from the cipher list, even if the cipher is explicitly
stated later in the cipher string. When you use the - symbol preceding a
cipher, the SSL profile removes the cipher from the cipher list, but the cipher
can be added back to the cipher list if there are later options that allow it.
For example, if the current cipher string is DEFAULT, the updated cipher string
becomes DEFAULT:!3DES.
Some TLS rating sites treat the ability to negotiate 3DES with TLS 1.2
differently than they treat 3DES availability with TLS 1.0 or TLS 1.1. The
rationale behind this logic is that legacy clients are not expected to
negotiate TLS 1.2 and thus there is no reason for a TLS server to offer 3DES
with TLS 1.2. If you want to enable 3DES with TLS 1.0 and TLS 1.1 only, but not
TLS 1.2, you can use the following cipher string:
- -3DES:TLSv1_1+3DES:TLSv1+3DES.
For example, if the current cipher string is DEFAULT, the updated cipher string
becomes DEFAULT:-3DES:TLSv1_1+3DES:TLSv1+3DES.
Beginning in 12.1.2 HF1 the BIG-IP system implements the TLS session data limit
for 3DES that makes the use of 3DES secure on the BIG-IP system in reference to
the SWEET32 attack. Unfortunately, SSL rating sites cannot easily detect the
presence of this fix. Auditing this fix requires sending of over 1 GB of data
in a single TLS session.
For earlier versions of BIG-IP systems without the data limit fix, you should
take the following alternative steps when 3DES is enabled. Note that you do not
need to take the following steps if only modern block ciphers are enabled, such
as AES or CAMELIA.
Alternatively, if disabling 3DES ciphers is not possible and you are running a
version earlier than 12.1.2 HF1, you can modify the SSL profile and set the
Renegotiation Size setting to 1 GB. To do so, perform the following procedure:
Impact of procedure: Performing the following procedure should not have a
negative impact on your system.
1. Log in to the TMOS Shell (tmsh) by typing the following command:
tmsh
2. Change the renegotiation size to 1 GB for the profile using the following
command syntax:
modify /ltm profile client-ssl <profile_name> renegotiate-size 1000
For example, the following command changes the renegotiation size to 1 GB
for the SSL profile named MyClientSSL:
modify /ltm profile client-ssl MyClientSSL renegotiate-size 1000
3. Save the changes by typing the following command:
save /sys config
Authentication profiles (tamd)
To mitigate this issue, disable 3DES on the server side to prevent negotiation
of the vulnerable cipher.
Configuration utility
To mitigate this vulnerability for the Configuration utility, you should permit
management access to F5 products only over a secure network. For more
information, refer to K13092: Overview of securing access to the BIG-IP system.
BIG-IP APM - Oracle Access Manager
To mitigate this vulnerability for Oracle Access Manager (OAM), you should
monitor traffic patterns between the BIG-IP system and back-end OAM systems for
traffic anomalies, or force rekeying on an appropriate interval on their
application server.
IPsec
To mitigate this vulnerability for IPsec, in your IPsec policy, you should use
AES ciphers, or if you cannot use AES ciphers, configure the KBLifetime
to 1048576 KB (1 GB) or less.
BIG-IQ
big3d
To mitigate this vulnerability for the big3d component of BIG-IQ, perform the
following procedure:
Impact of procedure: BIG-IQ does not use the big3d component and F5 product
development has removed it starting in BIG-IQ 5.2.0. Performing the following
procedure should not have a negative impact on your system.
1. Log in to tmsh by typing the following command:
tmsh
2. Disable the big3d component which will stop the service and prevent it from
starting on subsequent reboots by typing the following command:
modify /sys service big3d disable
OpenSSH
To mitigate this vulnerability for the OpenSSH component of the BIG-IQ system,
you can disable the 3DES (DES-CBC3) ciphers for the SSH service on your BIG-IQ
system. To do so, refer to K80425458: Modifying the list of ciphers and MAC and
key exchange algorithms used by the SSH service on the BIG-IP system or BIG-IQ
system.
Webd
To mitigate this vulnerability for the Webd component of the BIG-IQ system, you
can disable the 3DES (DES-CBC3) ciphers for the Webd service on your BIG-IQ
system. To modify the ciphers enabled on the BIG-IQ user interface, refer to
K17007: Restricting BIG-IQ user interface access to clients using
high-encryption SSL ciphers and protocols. You can disable 3DES in the SSL
ciphers by adding !3DES to the current cipher string in the ssl_ciphers
field. For example, if the current cipher string is
ECDHE-RSA-AES128-GCM-SHA256;, the updated cipher string becomes
ECDHE-RSA-AES128-GCM-SHA256:!3DES;.
Supplemental Information
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K167: Downloading software and firmware from F5
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K9502: BIG-IP hotfix and point release matrix
o K15106: Managing BIG-IQ product hotfixes
o K15113: BIG-IQ hotfix matrix
o K10322: FirePass hotfix matrix
o K12766: ARX hotfix matrix
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXlivC2aOgq3Tt24GAQgsIRAAo3psf1Uwjb0UAXpgg5r378HJc4jaq+0K
27mzBuIf3Y6FhtTumRJsDGpIKG1TjsAuSsEpapKy2yabMqcqKO9TMHhaolOFaljX
Mwl6H2PMpdRR9iO3csx2f4zS+sBE9ZXh2XLfTljzFN0Pzpc0GPZYcgVMVVic3HEp
oqmJcORM00NkdeXQEuRGg1doY3t4QP1asdNaMbp+XpqIDK0hw6pnUFCB2mfqxxTX
D8XM/YfVEenF/6XMPsXtIf/S1EnqnlIdkmrABeqlPtX7TEB4v/VBOcr+/+baYvOb
fgl9TRFrQi+8lXfTQJkZENCzKPjIC+SBS1ClssciHsSJ3zRIRpMkCvz5hX64v/tg
BUIzRCHkM/rPZAodt0AfYlFd/GKcYuHHvysYawMNpN089NePhmdg8N0CIlNKuqM3
HboMTgCi7Xfq4zExirRvuViL+rDzrxviw+nMD6HrbEqp2X9bVnXU6V6dkt35KxbQ
DMnUB5Eu81HV/UNY+3BKzBzQtWMT8F4ngLcJG0nwuKxwVWy78AExsuBFNe6FoS7d
bsQaL4Y2jHNMICrRmXDfUUL1zOzZNQXMzW/CQEPNKPwkUIFDEmoiM+xZXwsqwsUU
u976cWzh5LvdjK0sXkgN78aw4jYfIOsbLT7UbdlZv+jDN7whLzvG3ip368UVAJBJ
TdEToWjPeqQ=
=ndjg
-----END PGP SIGNATURE-----