Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4751 Linux kernel TCP ISN vulnerability CVE-2011-3188 20 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP Products Enterprise Manager FirePass Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011-3188 Reference: ESB-2014.0314 ESB-2012.0833.2 ESB-2012.0048 ESB-2011.1257 Original Bulletin: https://support.f5.com/csp/article/K15301 - --------------------------BEGIN INCLUDED TEXT-------------------- K15301:Linux kernel TCP ISN vulnerability CVE-2011-3188 Security Advisory Original Publication Date: 25 Jul, 2014 Latest Publication Date: 19 Dec, 2019 Security Advisory Description The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a modified MD4 algorithm to generate sequence numbers and Fragment Identification values, which makes it easier for remote attackers to cause a denial of service (disrupted networking) or hijack network sessions by predicting these values and sending crafted packets. (CVE-2011-3188) Impact Attackers may be able to cause denial-of-service (DoS) or hijack network sessions by predicting sequence number values and sending crafted packets. This issue affects control-plane traffic generated by the Linux kernel, and does not affect data-plane traffic. Outbound connections initiated from the BIG-IP system by administrative applications such as BIG-IP health monitors, SNMP, SMTP, SSH, network time protocol (NTP), and so on, are processed by the Linux operating system, and may be exploited by this vulnerability. For more information, refer to K13284: Overview of management interface routing (11.x and later). Security Advisory Status F5 Product Development has assigned ID 369450 (BIG-IP), ID 462318 (Enterprise Manager), ID 453429 (FirePass), and ID 461496 (ARX) to this vulnerability. Additionally, F5 iHealth lists Heuristic H464514 on the Diagnostics > Identified > High page. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. +--------------+--------------+---------------+-------------------------------+ | |Versions known|Versions known | | |Product |to be |to be not |Vulnerable component or feature| | |vulnerable |vulnerable | | +--------------+--------------+---------------+-------------------------------+ | |11.0.0 - | |Linux Kernel (host based | |BIG-IP LTM |11.1.0 |11.2.0 - 11.6.0|services on the management or | | |10.0.0 - | |TMM interfaces) | | |10.2.4 | | | +--------------+--------------+---------------+-------------------------------+ |BIG-IP AAM |None |11.4.0 - 11.6.0|None | +--------------+--------------+---------------+-------------------------------+ |BIG-IP AFM |None |11.3.0 - 11.6.0|None | +--------------+--------------+---------------+-------------------------------+ |BIG-IP |11.0.0 - | |Linux Kernel (host based | |Analytics |11.1.0 |11.2.0 - 11.6.0|services on the management or | | | | |TMM interfaces) | +--------------+--------------+---------------+-------------------------------+ | |11.0.0 - | |Linux Kernel (host based | |BIG-IP APM |11.1.0 |11.2.0 - 11.6.0|services on the management or | | |10.1.0 - | |TMM interfaces) | | |10.2.4 | | | +--------------+--------------+---------------+-------------------------------+ | |11.0.0 - | |Linux Kernel (host based | |BIG-IP ASM |11.1.0 |11.2.0 - 11.6.0|services on the management or | | |10.0.0 - | |TMM interfaces) | | |10.2.4 | | | +--------------+--------------+---------------+-------------------------------+ | |11.0.0 - | |Linux Kernel (host based | |BIG-IP Edge |11.1.0 |11.2.0 - 11.3.0|services on the management or | |Gateway |10.1.0 - | |TMM interfaces) | | |10.2.4 | | | +--------------+--------------+---------------+-------------------------------+ | |11.0.0 - | |Linux Kernel (host based | |BIG-IP GTM |11.1.0 |11.2.0 - 11.6.0|services on the management or | | |10.0.0 - | |TMM interfaces) | | |10.2.4 | | | +--------------+--------------+---------------+-------------------------------+ | |11.0.0 - | |Linux Kernel (host based | |BIG-IP Link |11.1.0 |11.2.0 - 11.6.0|services on the management or | |Controller |10.0.0 - | |TMM interfaces) | | |10.2.4 | | | +--------------+--------------+---------------+-------------------------------+ |BIG-IP PEM |None |11.3.0 - 11.6.0|None | +--------------+--------------+---------------+-------------------------------+ | |11.0.0 - | |Linux Kernel (host based | |BIG-IP PSM |11.1.0 |11.2.0 - 11.4.1|services on the management or | | |10.0.0 - | |TMM interfaces) | | |10.2.4 | | | +--------------+--------------+---------------+-------------------------------+ | |11.0.0 - | |Linux Kernel (host based | |BIG-IP |11.1.0 |11.2.0 - 11.3.0|services on the management or | |WebAccelerator|10.0.0 - | |TMM interfaces) | | |10.2.4 | | | +--------------+--------------+---------------+-------------------------------+ | |11.0.0 - | |Linux Kernel (host based | |BIG-IP WOM |11.1.0 |11.2.0 - 11.3.0|services on the management or | | |10.0.0 - | |TMM interfaces) | | |10.2.4 | | | +--------------+--------------+---------------+-------------------------------+ |ARX |6.0.0 - 6.4.0 |None |Linux kernel | +--------------+--------------+---------------+-------------------------------+ |Enterprise |3.0.0 | |Linux Kernel (host based | |Manager |2.1.0 - 2.3.0 |3.1.0 - 3.1.1 |services on the management or | | | | |TMM interfaces) | +--------------+--------------+---------------+-------------------------------+ |FirePass |7.0.0 |None |Linux kernel | | |6.0.0 - 6.1.0 | | | +--------------+--------------+---------------+-------------------------------+ |BIG-IQ Cloud |None |4.0.0 - 4.5.0 |None | +--------------+--------------+---------------+-------------------------------+ |BIG-IQ Device |None |4.2.0 - 4.5.0 |None | +--------------+--------------+---------------+-------------------------------+ |BIG-IQ |None |4.0.0 - 4.5.0 |None | |Security | | | | +--------------+--------------+---------------+-------------------------------+ |LineRate |None |1.6.0 - 2.5.0 |None | +--------------+--------------+---------------+-------------------------------+ Security Advisory Recommended Actions If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists. FirePass To protect the FirePass controller, you can use a TCP and/or IP proxy in front of FirePass to mitigate the issue. Note: For information about Linux kernel versions that the BIG-IP system uses, and how the BIG-IP uses the Linux operating system, refer to K3645: Base operating system information for the BIG-IP host system. Supplemental Information o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K167: Downloading software and firmware from F5 o K13284: Overview of management interface routing (11.x and later) o K3669: Overview of management interface routing (9.x - 10.x) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXfxoh2aOgq3Tt24GAQjkpQ//bzfhJmSF6PreWoyO9aUw8twR52CLFopu TgEBgF2i4ne/YdG7L4S1DpdiJe1TzanHfz4yYfMITrYh67U5+VKQTkrIYXoZ8rfK Vks64f6purZ/ui6tUTiB61odq2UtoZBj9KKCGN2EhFFzlGnLTQ2vQeIf8tLweE3x OZdxyJlnpunjvscZj3XJLeHKZVItkSV18IFrX/61+uzcgkSDPWWSRJiKiCXFzxgi 6Cy17qwtTHxwNQPQv7y9S2/V8kfLnz8fLq6IedgLLKf5DhBru+3IsXR97NfJQiWD M7QnXiBo7/uSl7ZIVIgrrcLO7k4Wy60D/1u7L9HL49ZHgoErThwXXagsNLrUoYnH s6oQTfwaykbSwdTX+yzpxGUMceURTFD2LfQ/kgk1VQdWX1GHMd5ink9bbg2iD6yO F6yId6KE5+F6ZuhXVAiQedYgRzCgS/YUT/YY2IgTbzo4rfQ0gn66AMYQz53JdFqU 0sUrxWlahgWnlb4IBT3lrolJGOeVFPtNk18+WyQlxTK+LqufGeLr/+8KKeElBBu/ LT/Ov4BRo2+oglDg1mQjjiUKoVB9lBArQR/HAzBb4hlp3hfUQJonpBKYUAt0g/sZ RNjszPBZWL9XJgRLvOBHy8jkf+GdGjMDb8ttRQ/K9+uVQxEnur4n3u9Nr2BbPpWk EmfBy+oM4Kg= =gZCD -----END PGP SIGNATURE-----