Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3054
BIG-IP SSL connection security exposure
12 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 BIG-IP products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
https://support.f5.com/csp/article/K41515225
- --------------------------BEGIN INCLUDED TEXT--------------------
K41515225: BIG-IP SSL connection security exposure
Security Advisory
Original Publication Date: 09 Aug, 2019
Security Advisory Description
On a virtual server configured with both Client SSL and Server SSL profiles,
when receiving a TCP FIN midstream in an SSL connection, the BIG-IP system
immediately proxies the FIN to the remote host on the peer side. If the remote
host on the peer side acknowledges the FIN, but ignores it and keeps sending
data to the BIG-IP system, the BIG-IP system receives and acknowledges the
data, but instead of proxying the ingress data, it drops all ingress data while
keeping the side that transmitted the original FIN open indefinitely.
Once the remote host on the peer side completes transmitting data and sends a
FIN of its own, the BIG-IP system will finally release the side that sent the
original FIN by allowing it to close.
This issue occurs when all of the following conditions are met:
o You configure a virtual server with Client SSL and Server SSL profiles.
o The virtual server proxies an SSL connection.
o One side of the SSL connection sends a FIN midstream to the BIG-IP system.
Impact
The BIG-IP system is capable of receiving, acknowledging, and dropping traffic
at extremely high bandwidths, and since the connection is no longer
bandwidth-limited by the original client, you may observe a spike in throughput
between the peer and BIG-IP system. It is possible, depending on the peer-side
network, that this spike in throughput can exhaust available network bandwidth
between the BIG-IP system and the peer.
Symptoms
As a result of this issue, you may encounter one or more of the following
symptoms:
o You view increased network throughput between the peer and the BIG-IP
system.
o Connections on the peer system remain open indefinitely until the remote
host completes transmitting data to the BIG-IP system.
Security Advisory Status
F5 Product Development has assigned ID 715750 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+-----------------+----------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+-----------------+----------------------------------------+
|Release |15.0.0 |K2200: Most recent versions of F5 |
| |14.1.0 |software |
+------------------+-----------------+----------------------------------------+
|Point release/ |14.0.0.3 |K9502: BIG-IP hotfix and point release |
|hotfix |13.1.1.2 |matrix |
| |12.1.3.7 | |
+------------------+-----------------+----------------------------------------+
Security Advisory Recommended Actions
Workaround
To work around this issue, you can upgrade to a version in the Fixes introduced
in column and configure the Alert Timeout setting in the SSL profile. In
versions containing this fix, the BIG-IP system sends a RST once the Alert
Timeout value has been reached, forcefully aborting the connection early and
reducing the amount of data transferred between the peer system and the BIG-IP
system. Reducing the Alert Timeout value will directly affect the amount of
data transferred after the original FIN is received. To do so, perform the
following procedure:
Impact of workaround: Performing the following procedure should not have a
negative impact on your system.
1. Log in to the Configuration utility.
2. Navigate to Local Traffic > Profiles > SSL > Server SSL.
3. Click the name of the profile associated with the virtual server.
4. Next to Configuration, click Advanced.
5. For the Alert Timeout setting, enter the number of seconds to wait before
sending a RST. For example, 5.
6. Click Update.
New SSL connections to the virtual server will use the new setting.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVC6xGaOgq3Tt24GAQh4zhAAiZdK2iMekKZ7Q92GlRicNMDLAi77GbOj
7/WGCdCStawfXnv0AyuUbYIM74VWixhyyTXSBr2WgSkVMWnbsdbsBUvr8P8Fo5Lj
CksHvgoVSQ6RTHNz8HyqQD5TxdR2P3761CAtjjSckCpG08aeCW1iHRInglyfSRJi
lxgu+eAMeZSsKqJi/ngbUe2VIUCN7CGH7rDe7jk9VkHpyG1QoFNfoqUtoZ+EE2NR
uXDf1Al/A1hkqkE9Zspmm8fS29FGmNfdu/DOz8dLN9RRveGQsEuZMX8SqkF9o/lp
ZqDd9mRpi1psuH2BQjr5X6tIcMTAPKxXRuqir6DutsPI57G8fH5rdTGsELw4INJm
WuP2yPVFqAHwBZkAnMzEEm6XhYIHQv39sFGPzNpFazV5esaSeEel7qq4MoonSXA5
JDEmmnG5pEAZ1l5wXBKMHGamMX6/A9pXqXDCX+guzMBK7HULvFX/FTH0Whzwk0sh
VCuJNxAoAsmOqV2xB81+TYt7imTwA7G4j5AyPjMXx1cvOxvj43/NHcccyMOu3P4R
Mnpy1E88gA1jujwS2MtF5yHqTl2BiLEMCwA0U1yO2ghbGWKzm1rslQrnhJl63jeO
1tR8MTgAlF5cIDMaN48s/dlifMwTvnSfD7F1fzGncKO0xqBHDO9hZrIX00SWNQQJ
vbYT0cTuirQ=
=FtJU
-----END PGP SIGNATURE-----