Operating System:

[Appliance]

Published:

09 April 2014

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2014.0472 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0472
               SOL15159: OpenSSL vulnerability CVE-2014-0160
                               9 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BIG-IP LTM
                   BIG-IP AAM
                   BIG-IP AFM
                   BIG-IP Analytics
                   BIG-IP APM
                   BIG-IP ASM
                   BIG-IP GTM
                   BIG-IP Link Controller
                   BIG-IP PEM
                   BIG-IP PEM
                   BIG-IP Edge Clients for Apple iOS
                   BIG-IP Edge Clients for Linux
                   BIG-IP Edge Clients for MAC OS X
                   BIG-IP Edge Clients for Windows
Publisher:         F5
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0160  

Reference:         ESB-2014.0457

Original Bulletin: 
   http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

- --------------------------BEGIN INCLUDED TEXT--------------------

SOL15159: OpenSSL vulnerability CVE-2014-0160

Security AdvisorySecurity Advisory

Original Publication Date: 04/08/2014

Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not 
properly handle Heartbeat Extension packets, which allows remote attackers to 
obtain sensitive information from process memory via crafted packets that 
trigger a buffer over-read, as demonstrated by reading private keys, related 
to d1_both.c and t1_lib.c, aka the Heartbleed bug.(CVE-2014-0160)

Impact

Systems that are vulnerable can be exploited to retrieve information from 
memory. That information may include the private keys used for TLS/DTLS.

- - Virtual servers using an SSL profile configured with the default Native SSL 
ciphers are not vulnerable. Only virtual servers using an SSL profile 
configured to use ciphers from the Compat SSL stack are vulnerable. In 
addition, back-end resources are not protected by virtual servers that do not 
use SSL profiles and pass SSL traffic directly through to the back-end web 
servers.
- - The Configuration utility on the management interface is vulnerable.
- - Clients using the BIG-IP Edge client for Android are not vulnerable to this 
vulnerability. However, clients using the BIG-IP Edge client for Windows, Mac 
OS, or Linux are vulnerable if they are used to connect to a compromised 
FirePass or BIG-IP APM system.

Status

F5 Product Development has assigned ID 456033 (BIG-IP) to this vulnerability.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:

Product		Versions known to 	Versions known to 	Vulnerable 
		be vulnerable		be not vulnerable	component or feature
BIG-IP LTM	11.5.0 - 11.5.1		11.0.0 - 11.4.1		Configuration utility
					10.0.0 - 10.2.4		Compat SSL ciphers
BIG-IP AAM	11.5.0 - 11.5.1		11.4.0 - 11.4.1		Configuration utility
								Compat SSL ciphers
BIG-IP AFM	11.5.0 - 11.5.1		11.3.0 - 11.4.1		Configuration utility
					None			Compat SSL ciphers
BIG-IP 		11.5.0 - 11.5.1		11.0.0 - 11.4.1		Configuration utility
Analytics				None			Compat SSL ciphers
BIG-IP APM	11.5.0 - 11.5.1		11.0.0 - 11.4.1		Configuration utility
					10.1.0 - 10.2.4		Compat SSL ciphers
					None
BIG-IP ASM	11.5.0 - 11.5.1		11.0.0 - 11.4.1		Configuration utility
					10.0.0 - 10.2.4		Compat SSL ciphers
					None
BIG-IP Edge 	None			11.0.0 - 11.3.0		None
Gateway					10.1.0 - 10.2.4
BIG-IP GTM	11.5.0 - 11.5.1		11.0.0 - 11.4.1		Configuration utility
					10.0.0 - 10.2.4		Compat SSL ciphers
					None
BIG-IP Link 	11.5.0 - 11.5.1		11.0.0 - 11.4.1		Configuration utility
Controller				10.0.0 - 10.2.4		Compat SSL ciphers
BIG-IP PEM	11.5.0 - 11.5.1		11.3.0 - 11.4.1		Configuration utility
								Compat SSL ciphers
BIG-IP PSM	11.5.0 - 11.5.1		11.0.0 - 11.4.1		Configuration utility
					10.0.0 - 10.2.4		Compat SSL ciphers
					None
BIG-IP 		None			11.0.0 - 11.3.0		None
WebAccelerator				10.0.0 - 10.2.4	
BIG-IP WOM	None			11.0.0 - 11.3.0		None
					10.0.0 - 10.2.4
ARX		None			6.0.0 - 6.4.0		None
Enterprise 	None			3.0.0 - 3.1.1		None
Manager					2.1.0 - 2.3.0
FirePass	None			7.0.0			None
					6.0.0 - 6.1.0		
BIG-IQ Cloud	None			4.0.0 - 4.3.0		None
BIG-IQ Device	None			4.2.0 - 4.3.0		None
BIG-IQ Security	None			4.0.0 - 4.3.0		None
BIG-IP Edge 	None			2.0.3 - 2.0.4		None
Clients for 
Android
BIG-IP Edge 	2.0.0 - 2.0.1		1.0.0 - 1.0.4		VPN
Clients for 	1.0.6
Apple iOS
BIG-IP Edge 	7080 - 7101		6035 - 7071		VPN
Clients for 
Linux
BIG-IP Edge 	7080 - 7101		6035 - 7071		VPN
Clients for 
MAC OS X
BIG-IP Edge 	7080 - 7101		6035 - 7071		VPN
Clients for 
Windows
	
Recommended action

If the previous table lists a version in the Versions known to be not 
vulnerable column, you can eliminate this vulnerability by upgrading to the 
listed version. If the table does not list any version in the column, then no 
upgrade candidate currently exists.

To mitigate this vulnerability, you should consider the following 
recommendations:
- - Limit the Configuration utility access to a trusted management network.
- - Use only Native SSL stack ciphers. Do not use ciphers from the Compat SSL 
stack. For information about the Native and Compat ciphers, refer to SOL13163: 
SSL ciphers supported on BIG-IP platforms (11.x).
- - Back-end resources are not protected by virtual servers that do not use SSL 
profiles and pass SSL traffic through to the back-end web servers. When 
possible, you should protect back-end resources by using SSL profiles to 
terminate SSL at the BIG-IP.

Supplemental Information

http://heartbleed.com/
SOL12463: Overview of F5 Edge products
SOL13757: BIG-IP Edge Client version matrix
SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated documents.
SOL4602: Overview of the F5 security vulnerability response policy
SOL4918: Overview of the F5 critical issue hotfix policy
SOL167: Downloading software and firmware from F5
SOL13123: Managing BIG-IP product hotfixes (11.x)
SOL10025: Managing BIG-IP product hotfixes (10.x)
SOL9502: BIG-IP hotfix matrix
SOL10322: FirePass hotfix matrix

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU0TMDhLndAQH1ShLAQIrJRAAgPE+YJ3IakEh11xHrPXUskLEOSIrn9TW
4uwTS9Ph9xnYgxvoPLSd4pZipxON8VliSB6PU53PmAjtacH+Hez3NOGPo6OIFVFT
o8f6uU4BKDtysUtK6bZtGYdB/yR+f1TJkppVwYKpbLJs+nmA/1xJ7upXhnmE2zdj
Y8slBMhrxBNrnn3GApRDgAHhAyF8lejMtCEBzjML91HaUC7lav9FB7LSQxqWL1Xh
Fzy0b2Uzby2nH4qwAfEAZ+5cf5Jhls/03GNj4M42FIZ0QzUrIWXCZoClphvg23Qo
Cz4NjZWDSijCxUQtyTy9T0yW/NgL/sBQAta4Y89AnzZ2Xp/wZpYfFGeRwLl9N/jq
W1KpApiGx8gBbA2yn1SfmxgTI6ZluxLN0BucBzZsPhnOMlY0Y0oSel6RN1Wl2lM3
dsdoC54wgop9xwJZHIpt/tmsCc7Jjr5O/obENWeqkg2Mom17Muc2M8iprY/JS2B6
LaOTJSWz51LY6eqckXjXbONV2qLdlzcJF53aauXzCtJO+lPrbBFwAvGVkDfwL4ep
CMikK++RzY24+EGvviuzc8GbBS2SFwnf087oNyzuRmOk0iCpe0q2W8309tNG1EoC
a/YKeCeP+0mQQtRKTkbcBY2ZE5U43gu1ThEgoLiQd+hw5vA4WM2l5dURrIenZd3U
fEMwxo0wFzM=
=1KUm
-----END PGP SIGNATURE-----