Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                  BIG-IP SSL connection security exposure
                              12 August 2019


        AusCERT Security Bulletin Summary

Product:           F5 BIG-IP products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

K41515225: BIG-IP SSL connection security exposure

Security Advisory

Original Publication Date: 09 Aug, 2019

Security Advisory Description

On a virtual server configured with both Client SSL and Server SSL profiles,
when receiving a TCP FIN midstream in an SSL connection, the BIG-IP system
immediately proxies the FIN to the remote host on the peer side. If the remote
host on the peer side acknowledges the FIN, but ignores it and keeps sending
data to the BIG-IP system, the BIG-IP system receives and acknowledges the
data, but instead of proxying the ingress data, it drops all ingress data while
keeping the side that transmitted the original FIN open indefinitely.

Once the remote host on the peer side completes transmitting data and sends a
FIN of its own, the BIG-IP system will finally release the side that sent the
original FIN by allowing it to close.

This issue occurs when all of the following conditions are met:

  o You configure a virtual server with Client SSL and Server SSL profiles.
  o The virtual server proxies an SSL connection.
  o One side of the SSL connection sends a FIN midstream to the BIG-IP system.


The BIG-IP system is capable of receiving, acknowledging, and dropping traffic
at extremely high bandwidths, and since the connection is no longer
bandwidth-limited by the original client, you may observe a spike in throughput
between the peer and BIG-IP system. It is possible, depending on the peer-side
network, that this spike in throughput can exhaust available network bandwidth
between the BIG-IP system and the peer.


As a result of this issue, you may encounter one or more of the following

  o You view increased network throughput between the peer and the BIG-IP
  o Connections on the peer system remain open indefinitely until the remote
    host completes transmitting data to the BIG-IP system.

Security Advisory Status

F5 Product Development has assigned ID 715750 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
|Release           |15.0.0           |K2200: Most recent versions of F5       |
|                  |14.1.0           |software                                |
|Point release/    |         |K9502: BIG-IP hotfix and point release  |
|hotfix            |         |matrix                                  |
|                  |         |                                        |

Security Advisory Recommended Actions


To work around this issue, you can upgrade to a version in the Fixes introduced
in column and configure the Alert Timeout setting in the SSL profile. In
versions containing this fix, the BIG-IP system sends a RST once the Alert
Timeout value has been reached, forcefully aborting the connection early and
reducing the amount of data transferred between the peer system and the BIG-IP
system. Reducing the Alert Timeout value will directly affect the amount of
data transferred after the original FIN is received. To do so, perform the
following procedure:

Impact of workaround: Performing the following procedure should not have a
negative impact on your system.

 1. Log in to the Configuration utility.
 2. Navigate to Local Traffic > Profiles > SSL > Server SSL.
 3. Click the name of the profile associated with the virtual server.
 4. Next to Configuration, click Advanced.
 5. For the Alert Timeout setting, enter the number of seconds to wait before
    sending a RST.  For example, 5.
 6. Click Update.

    New SSL connections to the virtual server will use the new setting.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967