Operating System:

[Appliance]

Published:

20 December 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4744
  ASM Cloud Security Services authentication vulnerability CVE-2019-6687
                             20 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BIG-IP ASM
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Provide Misleading Information -- Remote/Unauthenticated
                   Reduced Security               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-6687  

Original Bulletin: 
   https://support.f5.com/csp/article/K59957337

- --------------------------BEGIN INCLUDED TEXT--------------------

K59957337:ASM Cloud Security Services authentication vulnerability CVE-2019-6687

Security Advisory

Original Publication Date: 20 Dec, 2019

Security Advisory Description

The BIG-IP ASM Cloud Security Services profile uses a built-in verification
mechanism that fails to properly authenticate the X.509 certificate of remote
endpoints. (CVE-2019-6687)

Impact

This vulnerability may allow man-in-the-middle attackers to intercept traffic
destined for cloud services, and read and modify data that is in transit.

Security Advisory Status

F5 Product Development has assigned ID 825597 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+------------------+------+----------+----------+-----------+------+----------+
|                  |      |Versions  |Fixes     |           |CVSSv3|Vulnerable|
|Product           |Branch|known to  |introduced|Severity   |score^|component |
|                  |      |be        |in        |           |1     |or feature|
|                  |      |vulnerable|          |           |      |          |
+------------------+------+----------+----------+-----------+------+----------+
|                  |15.x  |15.0.1    |15.1.0    |           |      |          |
|                  +------+----------+----------+           |      |          |
|                  |14.x  |None      |Not       |           |      |          |
|                  |      |          |applicable|           |      |          |
|                  +------+----------+----------+           |      |Cloud     |
|                  |13.x  |None      |Not       |           |      |Security  |
|BIG-IP (ASM)      |      |          |applicable|Medium     |5.9   |Services  |
|                  +------+----------+----------+           |      |profile   |
|                  |12.x  |None      |Not       |           |      |          |
|                  |      |          |applicable|           |      |          |
|                  +------+----------+----------+           |      |          |
|                  |11.x  |None      |Not       |           |      |          |
|                  |      |          |applicable|           |      |          |
+------------------+------+----------+----------+-----------+------+----------+
|                  |15.x  |None      |Not       |           |      |          |
|                  |      |          |applicable|           |      |          |
|                  +------+----------+----------+           |      |          |
|                  |14.x  |None      |Not       |           |      |          |
|BIG-IP (LTM, AAM, |      |          |applicable|           |      |          |
|AFM, Analytics,   +------+----------+----------+Not        |      |          |
|APM, DNS, FPS,    |13.x  |None      |Not       |vulnerable^|None  |None      |
|GTM, Link         |      |          |applicable|2          |      |          |
|Controller, PEM)  +------+----------+----------+           |      |          |
|                  |12.x  |None      |Not       |           |      |          |
|                  |      |          |applicable|           |      |          |
|                  +------+----------+----------+           |      |          |
|                  |11.x  |None      |Not       |           |      |          |
|                  |      |          |applicable|           |      |          |
+------------------+------+----------+----------+-----------+------+----------+
|Enterprise Manager|3.x   |None      |Not       |Not        |None  |None      |
|                  |      |          |applicable|vulnerable |      |          |
+------------------+------+----------+----------+-----------+------+----------+
|                  |7.x   |None      |Not       |           |      |          |
|                  |      |          |applicable|           |      |          |
|                  +------+----------+----------+           |      |          |
|BIG-IQ Centralized|6.x   |None      |Not       |Not        |None  |None      |
|Management        |      |          |applicable|vulnerable |      |          |
|                  +------+----------+----------+           |      |          |
|                  |5.x   |None      |Not       |           |      |          |
|                  |      |          |applicable|           |      |          |
+------------------+------+----------+----------+-----------+------+----------+
|F5 iWorkflow      |2.x   |None      |Not       |Not        |None  |None      |
|                  |      |          |applicable|vulnerable |      |          |
+------------------+------+----------+----------+-----------+------+----------+
|Traffix SDC       |5.x   |None      |Not       |Not        |None  |None      |
|                  |      |          |applicable|vulnerable |      |          |
+------------------+------+----------+----------+-----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

^2The specified products contain the affected code. However, F5 identifies the
vulnerability status as Not vulnerable because the attacker cannot exploit the
code in default, standard, or recommended configurations.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you can create a new serverssl SSL profile to
perform server certificate authentication, and then associate the profile with
the virtual server. To do so, perform the following procedure:

Impact of action: Performing the following procedure should not have a negative
impact on your system.

Creating a serverssl profile to perform server certificate authentication

 1. Log into the Configuration utility.
 2. Go to Local Traffic > Profiles > SSL > Server.
 3. Select Create.
 4. In Name, enter a name for the SSL profile.
 5. For Server Authentication, select the Custom check box.
 6. In the Server Certificate list, select require.
 7. In the Frequency list, select always.
 8. In the Trusted Certificate Authorities list, select ca-bundle.crt.
 9. Click Finished.

You must now associate the new serverssl profile with the virtual server that
references the Cloud Security Services profile.

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXfxY92aOgq3Tt24GAQh/GA//YaXmL/2FEjc2pHL3rTrOPlPfkkDRcQ/d
i78WMmOFaP5xKK1HU+tx0l2oZXn2wsnJ2g/JN1rD0bdoxjIVV201b1BmHru3GAGS
sgJ3/7Q7xJINEbNVcoyQgNJIeXeL+CPMLoo9StFGh9TI9b26UtLnyx8zADzo82T3
ruq1P6AUjG0BEnR61oxYjzh7v2hlnMyOgQ0kfQu47BsMaGmUD1yS/XymMSHEkVmv
HqWdEkg1kNu0stXIMdtcWUmUJIAs6dT7jmIGwKuPY2+KJ406sYegfNFJ9jpyPP/j
0qQKxlSsD6Uuruj3N2EKrGunIwmFJpOSnBY3fcX4BqEn988Rqf64/2CQWOXGdlJd
16lXPWHxfFm2wbYWZtjLunzT2x4jRwAF57p2U9trG9lbkeJ/Z56Q9WUeJ76Dv2X6
V5GkvuzQnn+rJ5vNSW+OyGb66xNiArQiL+1KkX5l9HkbH8YQ0UvYwQUKyduMbaQV
tYNv858f/kE/JuMMNYGFxyejo9WYkjqFJcuExFbjMzaOJXzPFwcQqxIsq/DDBTC+
Wa5XO5p/bVHL+LlNt7FaXRKu2UtvUSycbtGQt7nMoQoGXht8eOwK3Je4x1bP7iWG
L4g7ipHe3qSBnhHQY9We83/KU3zIxXDv5wNYCivBhlsCM3mSoUv0p61BHQWJ4mzJ
TO7KJQcz+cg=
=qkVn
-----END PGP SIGNATURE-----