Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1183 sol14638: TLS/SSL RC4 vulnerability - CVE-2013-2566 30 August 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP Publisher: F5 Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2013-2566 Reference: ESB-2013.0562 Original Bulletin: http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14638.html - --------------------------BEGIN INCLUDED TEXT-------------------- sol14638: TLS/SSL RC4 vulnerability - CVE-2013-2566 Security Advisory Original Publication Date: 08/27/2013 Description The RC4 algorithm used by the TLS protocol and SSL protocol has single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks using statistical analysis of ciphertext in a large number of sessions that use the same plaintext. Impact Remote attackers may be able to conduct plaintext-recovery attacks using statistical analysis of ciphertext. Status F5 Product Development has assigned ID 428433 to this vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product Versions known to Versions known to Vulnerable component be vulnerable be not vulnerable or feature BIG-IP LTM 9.0.0 - 9.6.1 None Configuration utility 10.0.0 - 10.2.4 SSL virtual servers 11.0.0 - 11.4.0 BIG-IP AAM 11.4.0 None Configuration utility SSL virtual servers BIG-IP AFM 11.3.0 - 11.4.0 None Configuration utility SSL virtual servers BIG-IP 11.0.0 - 11.4.0 None Configuration utility Analytics SSL virtual servers BIG-IP APM 10.1.0 - 10.2.4 None Configuration utility 11.0.0 - 11.4.0 SSL virtual servers BIG-IP ASM 9.2.0 - 9.4.8 None Configuration utility 10.0.0 - 10.2.4 SSL virtual servers 11.0.0 - 11.4.0 BIG-IP 10.1.0 - 10.2.4 None Configuration utility Edge Gateway 11.0.0 - 11.4.0 SSL virtual servers BIG-IP GTM 9.2.2 - 9.4.8 None Configuration utility 10.0.0 - 10.2.4 11.0.0 - 11.4.0 BIG-IP Link 9.2.2 - 9.4.8 None Configuration utility Controller 10.0.0 - 10.2.4 SSL virtual servers 11.0.0 - 11.4.0 BIG-IP PEM 11.3.0 - 11.4.0 None Configuration utility SSL virtual servers BIG-IP PSM 9.4.5 - 9.4.8 None Configuration utility 10.0.0 - 10.2.4 SSL virtual servers 11.0.0 - 11.4.0 BIG-IP 9.4.0 - 9.4.8 None Configuration utility WebAccelerator 10.0.0 - 10.2.4 SSL virtual servers 11.0.0 - 11.3.0 BIG-IP WOM 10.0.0 - 10.2.4 None Configuration utility 11.0.0 - 11.3.0 SSL virtual servers ARX 5.0.0 - 5.3.1 None ARX Manager GUI 6.0.0 - 6.4.0 API (disabled by default) Enterprise 1.6.0 - 1.8.0 None Configuration utility Manager 2.0.0 - 2.3.0 3.0.0 - 3.1.1 FirePass 6.0.0 - 6.1.0 None Administrative interface 7.0.0 WebServices BIG-IQ Cloud 4.0.0 - 4.1.0 None Configuration utility BIG-IQ 4.0.0 - 4.1.0 None Configuration utility Security Recommended action This TLS/SSL vulnerability constitutes an inherent flaw in the RC4 cipher. While it is possible to mitigate this vulnerability by disabling the RC4 cipher for the vulnerable component/feature, administrators were advised to use the RC4 cipher to mitigate other vulnerabilities, such as the BEAST and Lucky 13 attacks. For more information about the various TLS protocol level attacks, and F5 recommendations for mitigating the attacks, refer to the following DevCentral article: Which TLS algorithm should I use? Note: A separate DevCentral login is required to access this content; you will be redirected to authenticate or register (if necessary). Supplemental Information http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566 Note: This link will take you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. SOL8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles SOL13171: Configuring the cipher strength for SSL profiles (11.x) SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.x) SOL13163: SSL ciphers supported on BIG-IP platforms (11.x) SOL11444: SSL ciphers supported on BIG-IP platforms (10.x) SOL13156: SSL ciphers used in the default SSL profiles (11.x) SOL10262: SSL ciphers used in the default SSL profiles (10.x) SOL9677: BIG-IP LTM compliance with standard FIPS-197 SOL9970: Subscribing to email notifications regarding F5 products SOL4602: Overview of the F5 security vulnerability response policy SOL9970: Subscribing to email notifications regarding F5 products - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUiAvrhLndAQH1ShLAQIbrQ/9FZGdyjxosMMqTypM/Y2JCnu4k5U6RR+n RL2XqdOK5LIqhxZQsJ8Upp3IUXC69QecrDdNd/Q2vsSzY+/4kKNE891dUN1ed/kq LaG8IIe/bzPntDd5EW0w6QYmtGk3coCBHVf+xpeua+UR8Fp594awqjp8mLqXgXVb vKseV+VzBaNwxwIIJMnGLuQL5LrrZuza/xvzohlBQ8uxqJjMaxuu0m77McMWcXo5 0WYXn/qV5QQiIxK7FWaXQ2qCcmqcakWtiQneJCUKtvU0EZzGwzzts+vpgCJTdGvx IkzgP8HC4WncbFx9vj7hCkK9kHVC+qh7WhCQJG3qcqZzpCD+chZY97whJSUei5jc PAL/3k6poZL7BAWJc414bGtj6PUU4zkTvT50Z+HkYiR+MPWwTeW1cSPH+uZWZw2V UWTbXvWud8wNf+RUeYvS0x9A8yQdU4BZmIfdxgP9PG/L8c0ocZ0VuMctrbrEKJZ2 r93HENGxfHONpBdMsF5PpcR0WUPmDDLAWD7BnYhTfY59O8VETxBahQB7P0p0r5mG med7ZziPPLp6o1/0Jpky8evSD1kN6/upubFIe7+YLafYdche2ccfXIx17hANzYKC +RGASpYU9RrqM5OKHHGbDQC85gPweGv2Mq3wICutj0hKCgSv1ol8hN8bG0CtDaPC tjbt3ItUP+U= =mIIG -----END PGP SIGNATURE-----