copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0650 - [Appliance] F5 BIG-IP products: Multiple vulnerabilities

Date: 10 March 2016
References: ESB-2016.0543.2  ESB-2016.0544  ESB-2016.0547  ESB-2016.0560  ASB-2016.0019  ESB-2016.0634  ESB-2016.0636  ESB-2016.0661  ESB-2016.0690  ESB-2016.0750  
ESB-2016.1029  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0650
   SOL95463126: OpenSSL vulnerabilities CVE-2016-0703 and CVE-2016-0704
                               10 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 BIG-IP products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-0800 CVE-2016-0704 CVE-2016-0703

Reference:         ASB-2016.0019
                   ESB-2016.0636
                   ESB-2016.0634
                   ESB-2016.0560
                   ESB-2016.0547
                   ESB-2016.0544
                   ESB-2016.0543.2

Original Bulletin: 
   https://support.f5.com/kb/en-us/solutions/public/k/95/sol95463126.html

- --------------------------BEGIN INCLUDED TEXT--------------------

SOL95463126: OpenSSL vulnerabilities CVE-2016-0703 and CVE-2016-0704

Security Advisory

Original Publication Date: 03/09/2016

Vulnerability Description

CVE-2016-0703

The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in
OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 
before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for 
an arbitrary cipher, which allows man-in-the-middle attackers to determine the
MASTER-KEY value and decrypt TLS ciphertext data by leveraging a 
Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.

CVE-2016-0704

An oracle protection mechanism in the get_client_master_key function in 
s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before
1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect 
MASTER-KEY bytes during use of export cipher suites, which makes it easier for
remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher
RSA padding oracle, a related issue to CVE-2016-0800.

Impact

BIG-IQ/Enterprise Manager

F5 is still researching the issue, and will update this article when the 
information has been confirmed. F5 Technical Support has no additional 
information on this issue.

ARX/Websafe/FirePass/LineRate/Traffix

There is no impact. These F5 products are not vulnerable to these 
vulnerabilities.

BIG-IP

This issue is exposed only to SSLv2 and is related to the DROWN vulnerability
(CVE-2016-0800). BIG-IP is not vulnerable to these vulnerabilities in the 
default configuration. F5 recommends that you do not use the SSLv2 protocol, 
and it is not enabled in the BIG-IP default configuration. Configurations that
manually enable SSLv2 expose this vulnerability.

Security Issue Status

F5 Product Development has assigned ID 513382 (BIG-IP) to this vulnerability,
and has evaluated the currently supported releases for potential 
vulnerability.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:

Product 			Versions known to be vulnerable 	Versions known to be not vulnerable 	Severity 	Vulnerable component or feature

BIG-IP LTM 			11.6.0 - 11.6.0 HF4			12.0.0					Medium 		See Vulnerability Recommended Actions
				11.5.0 - 11.5.3 HF1			11.6.0 HF5 and HF6
				11.3.0 - 11.4.1 HF8			11.5.4
				11.0.0 - 11.2.1 HF14			11.5.3 HF2
				10.1.0 - 10.2.4 			11.4.1 HF9
									11.2.1 HF15 

BIG-IP AAM 			11.6.0 - 11.6.0 HF4			12.0.0					Medium 		See Vulnerability Recommended Actions
				11.5.0 - 11.5.3 HF1			11.6.0 HF5 and HF6
				11.4.0 - 11.4.1 HF8 			11.5.4
									11.5.3 HF2
									11.4.1 HF9 

BIG-IP AFM 			11.6.0 - 11.6.0 HF4			12.0.0					Medium 		See Vulnerability Recommended Actions
				11.5.0 - 11.5.3 HF1			11.6.0 HF5 and HF6
				11.3.0 - 11.4.1 HF8 			11.5.4
									11.5.3 HF2
									11.4.1 HF9 

BIG-IP Analytics 		11.6.0 - 11.6.0 HF4			12.0.0					Medium 		See Vulnerability Recommended Actions
				11.5.0 - 11.5.3 HF1			11.6.0 HF5 and HF6
				11.3.0 - 11.4.1 HF8			11.5.4
				11.0.0 - 11.2.1 HF14 			11.5.3 HF2
									11.4.1 HF9
									11.2.1 HF15 

BIG-IP APM 			11.6.0 - 11.6.0 HF4			12.0.0					Medium 		See Vulnerability Recommended Actions
				11.5.0 - 11.5.3 HF1			11.6.0 HF5 and HF6
				11.3.0 - 11.4.1 HF8			11.5.4
				11.0.0 - 11.2.1 HF14			11.5.3 HF2
				10.1.0 - 10.2.4 			11.4.1 HF9
									11.2.1 HF15 

BIG-IP ASM 			11.6.0 - 11.6.0 HF4			12.0.0					Medium 		See Vulnerability Recommended Actions
				11.5.0 - 11.5.3 HF1			11.6.0 HF5 and HF6
				11.3.0 - 11.4.1 HF8			11.5.4
				11.0.0 - 11.2.1 HF14			11.5.3 HF2
				10.1.0 - 10.2.4 			11.4.1 HF9
									11.2.1 HF15 

BIG-IP DNS 			None 					12.0.0 					Not vulnerable 	None

BIG-IP Edge Gateway 		11.3.0					11.2.1 HF15 				Medium 		See Vulnerability Recommended Actions
				11.0.0 - 11.2.1 HF14
				10.1.0 - 10.2.4 

BIG-IP GTM 			11.6.0 - 11.6.0 HF4			11.6.0 HF5 and HF6			Medium 		See Vulnerability Recommended Actions
				11.5.0 - 11.5.3 HF1			11.5.4
				11.3.0 - 11.4.1 HF8			11.5.3 HF2
				11.0.0 - 11.2.1 HF14			11.4.1 HF9
				10.1.0 - 10.2.4 			11.2.1 HF15 

BIG-IP Link Controller 		11.6.0 - 11.6.0 HF4			12.0.0					Medium 		See Vulnerability Recommended Actions
				11.5.0 - 11.5.3 HF1			11.6.0 HF5 and HF6
				11.3.0 - 11.4.1 HF8			11.5.4
				11.0.0 - 11.2.1 HF14			11.5.3 HF2
				10.1.0 - 10.2.4				11.4.1 HF9
									11.2.1 HF15 

BIG-IP PEM 			11.6.0 - 11.6.0 HF4			12.0.0					Medium 		See Vulnerability Recommended Actions
				11.5.0 - 11.5.3 HF1			11.6.0 HF5 and HF6
				11.3.0 - 11.4.1 HF8 			11.5.4
									11.5.3 HF2
									11.4.1 HF9 

BIG-IP PSM 			11.3.0 - 11.4.1 HF8			11.4.1 HF9				Medium 		See Vulnerability Recommended Actions
				11.0.0 - 11.2.1 HF14			11.2.1 HF15
				10.1.0 - 10.2.4 
			
BIG-IP WebAccelerator 		11.3.0					11.2.1 HF15 				Medium 		See Vulnerability Recommended Actions
				11.0.0 - 11.2.1 HF14
				10.1.0 - 10.2.4 

BIG-IP WOM 			11.3.0					11.2.1 HF15 				Medium 		See Vulnerability Recommended Actions
				11.0.0 - 11.2.1 HF14
				10.1.0 - 10.2.4 

ARX 				None 					6.0.0 - 6.4.0 				Not vulnerable 	None

Enterprise Manager 		** 					** 					** 		**

FirePass 			None 					7.0.0					Not vulnerable 	None
									6.0.0 - 6.1.0 

BIG-IQ Cloud 			** 					** 					** 		**

BIG-IQ Device 			** 					** 					** 		**

BIG-IQ Security 		** 					** 					** 		**

BIG-IQ ADC 			** 					** 					** 		**

BIG-IQ Centralized Management 	** 					** 					** 		**

BIG-IQ Cloud and Orchestration 	** 					** 					** 		**

LineRate			None 					2.5.0 - 2.6.1 				Not vulnerable 	None

F5 WebSafe 			None 					1.0.0 					Not vulnerable 	None

Traffix SDC 			None 					4.0.0 - 4.4.0				Not vulnerable 	None
									3.3.2 - 3.5.1 

**Confirmation of vulnerability or non-vulnerability is not presently 
available. F5 is still researching the issue for the products indicated, and 
will update this article with the most current information as soon as it has 
been confirmed. F5 Technical Support has no additional information on this 
issue.

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable 
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a 
non-vulnerable version, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severity values 
published in the previous table. The Severity values and other security 
vulnerability parameters are defined in SOL4602: Overview of the F5 security 
vulnerability response policy.

BIG-IP

BIG-IP is not vulnerable to this issue in default configurations. F5 
recommends that you do not enable the use of SSLv2 or EXPORT ciphers in either
data plane or control plane configurations. In addition, note the following:

Data plane virtual servers in BIG-IP 10.1.0 through 11.6.0 (excluding the 
versions listed in the Versions known to be not vulnerable column in the 
Security Issue Status table) can be made vulnerable by configuring COMPAT 
ciphers in the cipher string. Additionally, BIG-IP 10.2.1 and 10.2.2 will also
expose the issue with ALL in the cipher string. If you require the use of 
COMPAT ciphers, you should include !SSLV2 in the cipher string to exclude the
SSLv2 protocol; for example, COMPAT:!SSLV2. You can enable SSLv2 only in 
BIG-IP 12.0.0 and later by configuring COMPAT+SSLV2 in the cipher string. F5 
recommends that you do not configure virtual servers to use the SSLv2 
protocol.

The Configuration utility does not enable the use of the SSLv2 protocol in the
default configuration for BIG-IP 10.1.0 through 12.0.0. The Apache 
configuration includes the configuration directive, which disables, by 
default, the SSLv2 protocol: SSLProtocol all -SSLv2. F5 recommends that you do
not enable the SSLv2 protocol for the Configuration utility.

If you are using the NodeJS EA feature for server applications, you should use
constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_SSLv2 to mitigate this issue.

If you are using the iAppsLX EA feature, ensure that SSLv2 is not enabled in 
your custom applications. iAppsLX f5-rest-node can be configured to be 
vulnerable in BIG-IP 11.5.0 through 12.0.0.

iRulesLX nodejs is an EA feature in BIG-IP 12.0.0 and is not vulnerable.

The BIG-IP big3d process is not vulnerable in BIG-IP 10.1.0 through 12.0.0; 
the daemon does not support the SSLv2 protocol in these versions.

The device service clustering (DSC) infrastructure communication is not 
vulnerable in BIG-IP 11.0.0 through 12.0.0.

Supplemental Information

SOL9970: Subscribing to email notifications regarding F5 products

SOL9957: Creating a custom RSS feed to view new and updated documents

SOL4918: Overview of the F5 critical issue hotfix policy

SOL23196136: OpenSSL vulnerability CVE-2016-0800

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVuDeTn6ZAP0PgtI9AQKQFhAAkm6AmojM6+X8z6DUCmvYfOCVXe5f9APL
iPXZznt1P1imIKCU7tYsKKblxtRgz+/HYYNGZmqsfS3zjw+01tD6bD09ZQsRJ5Dd
8frbILlupbGIMqSegIdnBVef0aI6Bh63ElPF7aVbhk8JXxZVNlPManOuZiWWzZSC
2SVeV2fH8jtQ6BFx8aYgT1rg0Ab2TtJ8XpYd2DFYE83Ayb9jJSwtAILckcCKhUh1
alsQc+ZSDKVFBquhMywb9P3oo9ZxkJRjGKDL+sKPJfTXWYibyO6FlDTsQlMWWkNw
Ve3AWXU6y5vh5wDwFJqcCV2gpZBXCQV/CgsEhScVW5lxeLisuxxn1YmlcWJaKSjR
KH8MThZASrzZN65l0hRPdXYrxEXVmWXrVtwwx3gtW0CC9SEXSeNDamCp+F+g9B0M
VHw2zoUbpU9mCMipSZWHrqRlGdT28RQhIXmul4vYW3LPRpQdhcR7bFXqoo+MtKEe
I4I7Zt+Aucr0tPkXVrOxBkAg65nh6XKCGFvC8mVnIDEWFoY+sIeElUJ9ogDF0tKx
5dPHdrrUNCo3W0Pg9b34aHCfF242Y1UiHMlHO7E2AZenELZWh2gOYam+kyqJHQsw
uuDUOvCcjaCAnnEM/2986FMSlV/ZuxAB+fUNYj7f7pAZca7ZDzSFDYn9gp+2FLZr
+0wQJhwkmYE=
=NC0m
-----END PGP SIGNATURE-----