Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3054 BIG-IP SSL connection security exposure 12 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: https://support.f5.com/csp/article/K41515225 - --------------------------BEGIN INCLUDED TEXT-------------------- K41515225: BIG-IP SSL connection security exposure Security Advisory Original Publication Date: 09 Aug, 2019 Security Advisory Description On a virtual server configured with both Client SSL and Server SSL profiles, when receiving a TCP FIN midstream in an SSL connection, the BIG-IP system immediately proxies the FIN to the remote host on the peer side. If the remote host on the peer side acknowledges the FIN, but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system receives and acknowledges the data, but instead of proxying the ingress data, it drops all ingress data while keeping the side that transmitted the original FIN open indefinitely. Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close. This issue occurs when all of the following conditions are met: o You configure a virtual server with Client SSL and Server SSL profiles. o The virtual server proxies an SSL connection. o One side of the SSL connection sends a FIN midstream to the BIG-IP system. Impact The BIG-IP system is capable of receiving, acknowledging, and dropping traffic at extremely high bandwidths, and since the connection is no longer bandwidth-limited by the original client, you may observe a spike in throughput between the peer and BIG-IP system. It is possible, depending on the peer-side network, that this spike in throughput can exhaust available network bandwidth between the BIG-IP system and the peer. Symptoms As a result of this issue, you may encounter one or more of the following symptoms: o You view increased network throughput between the peer and the BIG-IP system. o Connections on the peer system remain open indefinitely until the remote host completes transmitting data to the BIG-IP system. Security Advisory Status F5 Product Development has assigned ID 715750 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table. +------------------+-----------------+----------------------------------------+ |Type of fix |Fixes introduced |Related articles | | |in | | +------------------+-----------------+----------------------------------------+ |Release |15.0.0 |K2200: Most recent versions of F5 | | |14.1.0 |software | +------------------+-----------------+----------------------------------------+ |Point release/ |14.0.0.3 |K9502: BIG-IP hotfix and point release | |hotfix |13.1.1.2 |matrix | | |12.1.3.7 | | +------------------+-----------------+----------------------------------------+ Security Advisory Recommended Actions Workaround To work around this issue, you can upgrade to a version in the Fixes introduced in column and configure the Alert Timeout setting in the SSL profile. In versions containing this fix, the BIG-IP system sends a RST once the Alert Timeout value has been reached, forcefully aborting the connection early and reducing the amount of data transferred between the peer system and the BIG-IP system. Reducing the Alert Timeout value will directly affect the amount of data transferred after the original FIN is received. To do so, perform the following procedure: Impact of workaround: Performing the following procedure should not have a negative impact on your system. 1. Log in to the Configuration utility. 2. Navigate to Local Traffic > Profiles > SSL > Server SSL. 3. Click the name of the profile associated with the virtual server. 4. Next to Configuration, click Advanced. 5. For the Alert Timeout setting, enter the number of seconds to wait before sending a RST. For example, 5. 6. Click Update. New SSL connections to the virtual server will use the new setting. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVC6xGaOgq3Tt24GAQh4zhAAiZdK2iMekKZ7Q92GlRicNMDLAi77GbOj 7/WGCdCStawfXnv0AyuUbYIM74VWixhyyTXSBr2WgSkVMWnbsdbsBUvr8P8Fo5Lj CksHvgoVSQ6RTHNz8HyqQD5TxdR2P3761CAtjjSckCpG08aeCW1iHRInglyfSRJi lxgu+eAMeZSsKqJi/ngbUe2VIUCN7CGH7rDe7jk9VkHpyG1QoFNfoqUtoZ+EE2NR uXDf1Al/A1hkqkE9Zspmm8fS29FGmNfdu/DOz8dLN9RRveGQsEuZMX8SqkF9o/lp ZqDd9mRpi1psuH2BQjr5X6tIcMTAPKxXRuqir6DutsPI57G8fH5rdTGsELw4INJm WuP2yPVFqAHwBZkAnMzEEm6XhYIHQv39sFGPzNpFazV5esaSeEel7qq4MoonSXA5 JDEmmnG5pEAZ1l5wXBKMHGamMX6/A9pXqXDCX+guzMBK7HULvFX/FTH0Whzwk0sh VCuJNxAoAsmOqV2xB81+TYt7imTwA7G4j5AyPjMXx1cvOxvj43/NHcccyMOu3P4R Mnpy1E88gA1jujwS2MtF5yHqTl2BiLEMCwA0U1yO2ghbGWKzm1rslQrnhJl63jeO 1tR8MTgAlF5cIDMaN48s/dlifMwTvnSfD7F1fzGncKO0xqBHDO9hZrIX00SWNQQJ vbYT0cTuirQ= =FtJU -----END PGP SIGNATURE-----