Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1183
sol14638: TLS/SSL RC4 vulnerability - CVE-2013-2566
30 August 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP
Publisher: F5
Operating System: Network Appliance
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Resolution: Mitigation
CVE Names: CVE-2013-2566
Reference: ESB-2013.0562
Original Bulletin:
http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14638.html
- --------------------------BEGIN INCLUDED TEXT--------------------
sol14638: TLS/SSL RC4 vulnerability - CVE-2013-2566
Security Advisory
Original Publication Date: 08/27/2013
Description
The RC4 algorithm used by the TLS protocol and SSL protocol has single-byte
biases, which makes it easier for remote attackers to conduct
plaintext-recovery attacks using statistical analysis of ciphertext in a large
number of sessions that use the same plaintext.
Impact
Remote attackers may be able to conduct plaintext-recovery attacks using
statistical analysis of ciphertext.
Status
F5 Product Development has assigned ID 428433 to this vulnerability.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
Product Versions known to Versions known to Vulnerable component
be vulnerable be not vulnerable or feature
BIG-IP LTM 9.0.0 - 9.6.1 None Configuration utility
10.0.0 - 10.2.4 SSL virtual servers
11.0.0 - 11.4.0
BIG-IP AAM 11.4.0 None Configuration utility
SSL virtual servers
BIG-IP AFM 11.3.0 - 11.4.0 None Configuration utility
SSL virtual servers
BIG-IP 11.0.0 - 11.4.0 None Configuration utility
Analytics SSL virtual servers
BIG-IP APM 10.1.0 - 10.2.4 None Configuration utility
11.0.0 - 11.4.0 SSL virtual servers
BIG-IP ASM 9.2.0 - 9.4.8 None Configuration utility
10.0.0 - 10.2.4 SSL virtual servers
11.0.0 - 11.4.0
BIG-IP 10.1.0 - 10.2.4 None Configuration utility
Edge Gateway 11.0.0 - 11.4.0 SSL virtual servers
BIG-IP GTM 9.2.2 - 9.4.8 None Configuration utility
10.0.0 - 10.2.4
11.0.0 - 11.4.0
BIG-IP Link 9.2.2 - 9.4.8 None Configuration utility
Controller 10.0.0 - 10.2.4 SSL virtual servers
11.0.0 - 11.4.0
BIG-IP PEM 11.3.0 - 11.4.0 None Configuration utility
SSL virtual servers
BIG-IP PSM 9.4.5 - 9.4.8 None Configuration utility
10.0.0 - 10.2.4 SSL virtual servers
11.0.0 - 11.4.0
BIG-IP 9.4.0 - 9.4.8 None Configuration utility
WebAccelerator 10.0.0 - 10.2.4 SSL virtual servers
11.0.0 - 11.3.0
BIG-IP WOM 10.0.0 - 10.2.4 None Configuration utility
11.0.0 - 11.3.0 SSL virtual servers
ARX 5.0.0 - 5.3.1 None ARX Manager GUI
6.0.0 - 6.4.0 API (disabled by default)
Enterprise 1.6.0 - 1.8.0 None Configuration utility
Manager 2.0.0 - 2.3.0
3.0.0 - 3.1.1
FirePass 6.0.0 - 6.1.0 None Administrative interface
7.0.0 WebServices
BIG-IQ Cloud 4.0.0 - 4.1.0 None Configuration utility
BIG-IQ 4.0.0 - 4.1.0 None Configuration utility
Security
Recommended action
This TLS/SSL vulnerability constitutes an inherent flaw in the RC4 cipher.
While it is possible to mitigate this vulnerability by disabling the RC4
cipher for the vulnerable component/feature, administrators were advised to
use the RC4 cipher to mitigate other vulnerabilities, such as the BEAST and
Lucky 13 attacks.
For more information about the various TLS protocol level attacks, and F5
recommendations for mitigating the attacks, refer to the following
DevCentral article:
Which TLS algorithm should I use?
Note: A separate DevCentral login is required to access this content; you
will be redirected to authenticate or register (if necessary).
Supplemental Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566
Note: This link will take you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
SOL8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles
SOL13171: Configuring the cipher strength for SSL profiles (11.x)
SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.x)
SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)
SOL11444: SSL ciphers supported on BIG-IP platforms (10.x)
SOL13156: SSL ciphers used in the default SSL profiles (11.x)
SOL10262: SSL ciphers used in the default SSL profiles (10.x)
SOL9677: BIG-IP LTM compliance with standard FIPS-197
SOL9970: Subscribing to email notifications regarding F5 products
SOL4602: Overview of the F5 security vulnerability response policy
SOL9970: Subscribing to email notifications regarding F5 products
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUiAvrhLndAQH1ShLAQIbrQ/9FZGdyjxosMMqTypM/Y2JCnu4k5U6RR+n
RL2XqdOK5LIqhxZQsJ8Upp3IUXC69QecrDdNd/Q2vsSzY+/4kKNE891dUN1ed/kq
LaG8IIe/bzPntDd5EW0w6QYmtGk3coCBHVf+xpeua+UR8Fp594awqjp8mLqXgXVb
vKseV+VzBaNwxwIIJMnGLuQL5LrrZuza/xvzohlBQ8uxqJjMaxuu0m77McMWcXo5
0WYXn/qV5QQiIxK7FWaXQ2qCcmqcakWtiQneJCUKtvU0EZzGwzzts+vpgCJTdGvx
IkzgP8HC4WncbFx9vj7hCkK9kHVC+qh7WhCQJG3qcqZzpCD+chZY97whJSUei5jc
PAL/3k6poZL7BAWJc414bGtj6PUU4zkTvT50Z+HkYiR+MPWwTeW1cSPH+uZWZw2V
UWTbXvWud8wNf+RUeYvS0x9A8yQdU4BZmIfdxgP9PG/L8c0ocZ0VuMctrbrEKJZ2
r93HENGxfHONpBdMsF5PpcR0WUPmDDLAWD7BnYhTfY59O8VETxBahQB7P0p0r5mG
med7ZziPPLp6o1/0Jpky8evSD1kN6/upubFIe7+YLafYdche2ccfXIx17hANzYKC
+RGASpYU9RrqM5OKHHGbDQC85gPweGv2Mq3wICutj0hKCgSv1ol8hN8bG0CtDaPC
tjbt3ItUP+U=
=mIIG
-----END PGP SIGNATURE-----