Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4751
Linux kernel TCP ISN vulnerability CVE-2011-3188
20 December 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP Products
Enterprise Manager
FirePass
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-3188
Reference: ESB-2014.0314
ESB-2012.0833.2
ESB-2012.0048
ESB-2011.1257
Original Bulletin:
https://support.f5.com/csp/article/K15301
- --------------------------BEGIN INCLUDED TEXT--------------------
K15301:Linux kernel TCP ISN vulnerability CVE-2011-3188
Security Advisory
Original Publication Date: 25 Jul, 2014
Latest Publication Date: 19 Dec, 2019
Security Advisory Description
The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a
modified MD4 algorithm to generate sequence numbers and Fragment Identification
values, which makes it easier for remote attackers to cause a denial of service
(disrupted networking) or hijack network sessions by predicting these values
and sending crafted packets. (CVE-2011-3188)
Impact
Attackers may be able to cause denial-of-service (DoS) or hijack network
sessions by predicting sequence number values and sending crafted packets.
This issue affects control-plane traffic generated by the Linux kernel, and
does not affect data-plane traffic. Outbound connections initiated from the
BIG-IP system by administrative applications such as BIG-IP health monitors,
SNMP, SMTP, SSH, network time protocol (NTP), and so on, are processed by the
Linux operating system, and may be exploited by this vulnerability. For more
information, refer to K13284: Overview of management interface routing (11.x
and later).
Security Advisory Status
F5 Product Development has assigned ID 369450 (BIG-IP), ID 462318 (Enterprise
Manager), ID 453429 (FirePass), and ID 461496 (ARX) to this vulnerability.
Additionally, F5 iHealth lists Heuristic H464514 on the Diagnostics >
Identified > High page.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table.
+--------------+--------------+---------------+-------------------------------+
| |Versions known|Versions known | |
|Product |to be |to be not |Vulnerable component or feature|
| |vulnerable |vulnerable | |
+--------------+--------------+---------------+-------------------------------+
| |11.0.0 - | |Linux Kernel (host based |
|BIG-IP LTM |11.1.0 |11.2.0 - 11.6.0|services on the management or |
| |10.0.0 - | |TMM interfaces) |
| |10.2.4 | | |
+--------------+--------------+---------------+-------------------------------+
|BIG-IP AAM |None |11.4.0 - 11.6.0|None |
+--------------+--------------+---------------+-------------------------------+
|BIG-IP AFM |None |11.3.0 - 11.6.0|None |
+--------------+--------------+---------------+-------------------------------+
|BIG-IP |11.0.0 - | |Linux Kernel (host based |
|Analytics |11.1.0 |11.2.0 - 11.6.0|services on the management or |
| | | |TMM interfaces) |
+--------------+--------------+---------------+-------------------------------+
| |11.0.0 - | |Linux Kernel (host based |
|BIG-IP APM |11.1.0 |11.2.0 - 11.6.0|services on the management or |
| |10.1.0 - | |TMM interfaces) |
| |10.2.4 | | |
+--------------+--------------+---------------+-------------------------------+
| |11.0.0 - | |Linux Kernel (host based |
|BIG-IP ASM |11.1.0 |11.2.0 - 11.6.0|services on the management or |
| |10.0.0 - | |TMM interfaces) |
| |10.2.4 | | |
+--------------+--------------+---------------+-------------------------------+
| |11.0.0 - | |Linux Kernel (host based |
|BIG-IP Edge |11.1.0 |11.2.0 - 11.3.0|services on the management or |
|Gateway |10.1.0 - | |TMM interfaces) |
| |10.2.4 | | |
+--------------+--------------+---------------+-------------------------------+
| |11.0.0 - | |Linux Kernel (host based |
|BIG-IP GTM |11.1.0 |11.2.0 - 11.6.0|services on the management or |
| |10.0.0 - | |TMM interfaces) |
| |10.2.4 | | |
+--------------+--------------+---------------+-------------------------------+
| |11.0.0 - | |Linux Kernel (host based |
|BIG-IP Link |11.1.0 |11.2.0 - 11.6.0|services on the management or |
|Controller |10.0.0 - | |TMM interfaces) |
| |10.2.4 | | |
+--------------+--------------+---------------+-------------------------------+
|BIG-IP PEM |None |11.3.0 - 11.6.0|None |
+--------------+--------------+---------------+-------------------------------+
| |11.0.0 - | |Linux Kernel (host based |
|BIG-IP PSM |11.1.0 |11.2.0 - 11.4.1|services on the management or |
| |10.0.0 - | |TMM interfaces) |
| |10.2.4 | | |
+--------------+--------------+---------------+-------------------------------+
| |11.0.0 - | |Linux Kernel (host based |
|BIG-IP |11.1.0 |11.2.0 - 11.3.0|services on the management or |
|WebAccelerator|10.0.0 - | |TMM interfaces) |
| |10.2.4 | | |
+--------------+--------------+---------------+-------------------------------+
| |11.0.0 - | |Linux Kernel (host based |
|BIG-IP WOM |11.1.0 |11.2.0 - 11.3.0|services on the management or |
| |10.0.0 - | |TMM interfaces) |
| |10.2.4 | | |
+--------------+--------------+---------------+-------------------------------+
|ARX |6.0.0 - 6.4.0 |None |Linux kernel |
+--------------+--------------+---------------+-------------------------------+
|Enterprise |3.0.0 | |Linux Kernel (host based |
|Manager |2.1.0 - 2.3.0 |3.1.0 - 3.1.1 |services on the management or |
| | | |TMM interfaces) |
+--------------+--------------+---------------+-------------------------------+
|FirePass |7.0.0 |None |Linux kernel |
| |6.0.0 - 6.1.0 | | |
+--------------+--------------+---------------+-------------------------------+
|BIG-IQ Cloud |None |4.0.0 - 4.5.0 |None |
+--------------+--------------+---------------+-------------------------------+
|BIG-IQ Device |None |4.2.0 - 4.5.0 |None |
+--------------+--------------+---------------+-------------------------------+
|BIG-IQ |None |4.0.0 - 4.5.0 |None |
|Security | | | |
+--------------+--------------+---------------+-------------------------------+
|LineRate |None |1.6.0 - 2.5.0 |None |
+--------------+--------------+---------------+-------------------------------+
Security Advisory Recommended Actions
If the previous table lists a version in the Versions known to be not
vulnerable column, you can eliminate this vulnerability by upgrading to the
listed version. If the table does not list any version in the column, then no
upgrade candidate currently exists.
FirePass
To protect the FirePass controller, you can use a TCP and/or IP proxy in front
of FirePass to mitigate the issue.
Note: For information about Linux kernel versions that the BIG-IP system uses,
and how the BIG-IP uses the Linux operating system, refer to K3645: Base
operating system information for the BIG-IP host system.
Supplemental Information
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K167: Downloading software and firmware from F5
o K13284: Overview of management interface routing (11.x and later)
o K3669: Overview of management interface routing (9.x - 10.x)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXfxoh2aOgq3Tt24GAQjkpQ//bzfhJmSF6PreWoyO9aUw8twR52CLFopu
TgEBgF2i4ne/YdG7L4S1DpdiJe1TzanHfz4yYfMITrYh67U5+VKQTkrIYXoZ8rfK
Vks64f6purZ/ui6tUTiB61odq2UtoZBj9KKCGN2EhFFzlGnLTQ2vQeIf8tLweE3x
OZdxyJlnpunjvscZj3XJLeHKZVItkSV18IFrX/61+uzcgkSDPWWSRJiKiCXFzxgi
6Cy17qwtTHxwNQPQv7y9S2/V8kfLnz8fLq6IedgLLKf5DhBru+3IsXR97NfJQiWD
M7QnXiBo7/uSl7ZIVIgrrcLO7k4Wy60D/1u7L9HL49ZHgoErThwXXagsNLrUoYnH
s6oQTfwaykbSwdTX+yzpxGUMceURTFD2LfQ/kgk1VQdWX1GHMd5ink9bbg2iD6yO
F6yId6KE5+F6ZuhXVAiQedYgRzCgS/YUT/YY2IgTbzo4rfQ0gn66AMYQz53JdFqU
0sUrxWlahgWnlb4IBT3lrolJGOeVFPtNk18+WyQlxTK+LqufGeLr/+8KKeElBBu/
LT/Ov4BRo2+oglDg1mQjjiUKoVB9lBArQR/HAzBb4hlp3hfUQJonpBKYUAt0g/sZ
RNjszPBZWL9XJgRLvOBHy8jkf+GdGjMDb8ttRQ/K9+uVQxEnur4n3u9Nr2BbPpWk
EmfBy+oM4Kg=
=gZCD
-----END PGP SIGNATURE-----