Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2418.2 K14741: OpenSSH vulnerability CVE-2010-5107 27 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 Products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2010-5107 Reference: ESB-2013.1669.2 Original Bulletin: https://support.f5.com/csp/article/K14741 Revision History: February 27 2019: Updated the status table September 22 2017: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K14741:OpenSSH vulnerability CVE-2010-5107 Security Advisory Original Publication Date: 11 Oct, 2013 Latest Publication Date: 27 Feb, 2019 Security Advisory Description The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) Impact This issue may limit access to SSH services on the affected BIG-IP system. Security Advisory Status F5 Product Development has assigned ID 430799 (BIG-IP and Enterprise Manager) and ID 431179 (ARX) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H483011 on the Diagnostics > Identified > High page. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: +-----------------+------------------+---------------------+------------------+ | |Versions known to |Versions known to be |Vulnerable | |Product |be vulnerable |not vulnerable |component or | | | | |feature | +-----------------+------------------+---------------------+------------------+ | |11.6.0 - 11.6.0 |13.0.0 | | | |HF4 |12.0.0 - 12.1.4 | | |BIG-IP LTM |11.5.0 - 11.5.3 |11.6.0 HF5 - 11.6.3 |SSH | | |11.0.0 - 11.4.1 |11.5.4 - 11.5.8 | | | |HF8 |11.4.1 HF9 | | | |10.0.0 - 10.2.4 | | | +-----------------+------------------+---------------------+------------------+ | |11.6.0 - 11.6.0 |13.0.0 | | | |HF4 |12.0.0 - 12.1.4 | | |BIG-IP AAM |11.5.0 - 11.5.3 |11.6.0 HF5 - 11.6.3 |SSH | | |11.4.0 - 11.4.0 |11.5.4 - 11.5.8 | | | |HF8 |11.4.1 HF9 | | +-----------------+------------------+---------------------+------------------+ | |11.6.0 - 11.6.0 |13.0.0 | | | |HF4 |12.0.0 - 12.1.4 | | |BIG-IP AFM |11.5.0 - 11.5.3 |11.6.0 HF5 - 11.6.3 |SSH | | |11.3.0 - 11.4.1 |11.5.4 - 11.5.8 | | | |HF8 |11.4.1 HF9 | | +-----------------+------------------+---------------------+------------------+ | |11.6.0 - 11.6.0 |13.0.0 | | | |HF4 |12.0.0 - 12.1.4 | | |BIG-IP Analytics |11.5.0 - 11.5.3 |11.6.0 HF5 - 11.6.3 |SSH | | |11.0.0 - 11.4.1 |11.5.4 - 11.5.8 | | | |HF8 |11.4.1 HF9 | | +-----------------+------------------+---------------------+------------------+ | |11.6.0 - 11.6.0 |13.0.0 | | | |HF4 |12.0.0 - 12.1.4 | | |BIG-IP APM |11.5.0 - 11.5.3 |11.6.0 HF5 - 11.6.3 |SSH | | |11.0.0 - 11.4.1 |11.5.4 - 11.5.8 | | | |HF8 |11.4.1 HF9 | | | |10.1.0 - 10.2.4 | | | +-----------------+------------------+---------------------+------------------+ | |11.6.0 - 11.6.0 |13.0.0 | | | |HF4 |12.0.0 - 12.1.4 | | |BIG-IP ASM |11.5.0 - 11.5.3 |11.6.0 HF5 - 11.6.3 |SSH | | |11.0.0 - 11.4.1 |11.5.4 - 11.5.8 | | | |HF8 |11.4.1 HF9 | | | |10.0.0 - 10.2.4 | | | +-----------------+------------------+---------------------+------------------+ |BIG-IP DNS |None |13.0.0 |None | | | |12.0.0 - 12.1.4 | | +-----------------+------------------+---------------------+------------------+ |BIG-IP Edge |11.0.0 - 11.3.0 |None |SSH | |Gateway |10.1.0 - 10.2.4 | | | +-----------------+------------------+---------------------+------------------+ | |11.6.0 - 11.6.0 | | | | |HF4 |11.6.0 HF5 - 11.6.3 | | |BIG-IP GTM |11.5.0 - 11.5.3 |11.5.4 - 11.5.8 |SSH | | |11.0.0 - 11.4.1 |11.4.1 HF9 | | | |HF8 | | | | |10.0.0 - 10.2.4 | | | +-----------------+------------------+---------------------+------------------+ | |11.6.0 - 11.6.0 |13.0.0 | | | |HF4 |12.0.0 - 12.1.4 | | |BIG-IP Link |11.5.0 - 11.5.3 |11.6.0 HF5 - 11.6.3 |SSH | |Controller |11.0.0 - 11.4.1 |11.5.4 - 11.5.8 | | | |HF8 |11.4.1 HF9 | | | |10.0.0 - 10.2.4 | | | +-----------------+------------------+---------------------+------------------+ | |11.6.0 - 11.6.0 |13.0.0 | | | |HF4 |12.0.0 - 12.1.4 | | |BIG-IP PEM |11.5.0 - 11.5.3 |11.6.0 HF5 - 11.6.3 |SSH | | |11.3.0 - 11.4.1 |11.5.4 - 11.5.8 | | | |HF8 |11.4.1 HF9 | | +-----------------+------------------+---------------------+------------------+ | |11.0.0 - 11.4.1 | | | |BIG-IP PSM |HF8 |11.4.1 HF9 |SSH | | |10.0.0 - 10.2.4 | | | +-----------------+------------------+---------------------+------------------+ |BIG-IP |11.0.0 - 11.3.0 |None |SSH | |WebAccelerator |10.0.0 - 10.2.4 | | | +-----------------+------------------+---------------------+------------------+ |BIG-IP WOM |11.0.0 - 11.3.0 |None |SSH | | |10.0.0 - 10.2.4 | | | +-----------------+------------------+---------------------+------------------+ |ARX |6.0.0 - 6.4.0 |None |SSH | | |5.0.0 - 5.3.1 | | | +-----------------+------------------+---------------------+------------------+ |Enterprise |3.0.0 - 3.1.1 |None |SSH | |Manager |2.0.0 - 2.3.0 | | | +-----------------+------------------+---------------------+------------------+ |FirePass |None |7.0.0 |None | | | |6.0.0 - 6.1.0 | | +-----------------+------------------+---------------------+------------------+ |BIG-IQ | |6.0.0 - 6.1.0 | | |Centralized |4.6.0 |5.0.0 - 5.4.0 |SSH | |Management | | | | +-----------------+------------------+---------------------+------------------+ |BIG-IQ Cloud |4.0.0 - 4.5.0 |None |SSH | +-----------------+------------------+---------------------+------------------+ |BIG-IQ Device |4.2.0 - 4.5.0 |None |SSH | +-----------------+------------------+---------------------+------------------+ |BIG-IQ Security |4.0.0 - 4.5.0 |None |SSH | +-----------------+------------------+---------------------+------------------+ Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. F5 recommends that you allow SSH access to the administrative port only from a secure network. BIG-IP and BIG-IQ mitigation The default sshd configuration allows for 10 connections to be in an unauthenticated state. In this situation, a TCP connection has been established, but SSH is waiting for login credentials. This type of denial-of-service (DoS) attack ties up network services and prevents others from logging in using SSH. To mitigate this vulnerability in the BIG-IP system and the BIG-IQ system, you can enable random early drop by way of the MaxStartups option of the sshd configuration on the system. You enable random early drop by specifying the three colon-separated values start:rate:full. After the number of unauthenticated connections reaches the value specified by start, sshd will begin to refuse new connections at a percentage specified by rate. The proportional rate of refused connections then increases linearly as the limit specified by full is approached, until 100% is reached. At that point, all new attempts to connect are refused until the unauthenticated SSH session TCP connections time out. For example, if MaxStartups is configured with the value 10:30:60, then after 10 connections pending authentication, sshd would begin to drop 30% of the new connections. If unauthenticated connections increase to 60, then 100% of the new connections are dropped until the backlog subsides. To enable random early drop, perform the following procedure: Impact of workaround: Increasing the number of allowed connections in an unauthenticated state increases the amount of memory needed to maintain those TCP connections. Use care when increasing these numbers beyond the values quoted in the following procedure. 1. Log in to the Traffic Management Shell (tmsh) by typing the following command: tmsh 2. Configure the MaxStartups option using the following command syntax: modify /sys sshd include 'MaxStartups start:rate:full' For example, set MaxStartups to 10:30:60 by typing the following command: modify /sys sshd include 'MaxStartups 10:30:60' 3. Save the change by typing the following command: save /sys config 4. Restart sshd by typing the following command: restart /sys service sshd Supplemental Information o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K167: Downloading software and firmware from F5 o K13123: Managing BIG-IP product hotfixes (11.x - 13.x) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXHYCSmaOgq3Tt24GAQiD9w/+KpCHi7vDn7fmdV5BXjhp62q9K1y4AsF/ oqSxcNmgjPzwf07VezOtN+lBgk5iB1f7Rd8Hg09ZXbkynKjRn1cK2Tz0lMFzcEo7 HT9AT3CoNxe2BxnXiQOeib5uUIDjVamJkFTFIMnCvaRufdUsL75theUkefgiE0I8 3hdvEC62VoduiEijmlqvvd+lFsJS+JB7OqVaeSIt+T8tN7UkHqrXdGmCWuZChKP3 CAWdC2Id/XJVk5yC70pk0jGq5pzOEs8/dNS6KKNwiI8irrZt4OzcmOOZ5mH9Tb02 9GFs3fPWoDjLxQhuDeaiorMKzzTS+4+1A99oD2qDYwAsBxJZhZzeHTEx6nLKztaK OTi9pP+j8maPRycaCk+Eo596TO1xeA/VCyhhgBLzYKdj5wrqTzk5RuB6muk8pKog xWogI7moXSvYIJE/YAVwTUQ3FP/u4vBIWQrV1XXV50ixrkoOEpXvDE3nSDkoYM7j 1QfE+gkUzG3sPwNOYLUKGWEGkSZZzM3v4pKR92MjleOVthUnEzRzo2toT4CR93DO j+EWkyYYoCjDW3Vh1Gd7C7aN+l/aaRdt+kTg1BDeotO7ybHM0xYJS7L2+EBp8DzH D6pnn+LryplzfpKs/fSeeLOLgvVpyyvl8/MWU9lUT9CrerPrDjXborSg0gNoF7XM SR+X1aPm9/g= =MoAV -----END PGP SIGNATURE-----