Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2969.2
BIG-IP SSL Vulnerability
2 January 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 BIG-IP
Publisher: F5 Networks
Operating System: Virtualisation
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-6168
Original Bulletin:
https://support.f5.com/csp/article/K21905460
Revision History: January 2 2018: Updated Advisory from F5 Networks
November 20 2017: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
K21905460: BIG-IP SSL vulnerability (ROBOT) CVE-2017-6168
Security Advisory
Original Publication Date: Nov 18, 2017
Updated Date: Dec 28, 2017
Security Advisory Description
A BIG-IP virtual server configured with a Client SSL profile may be vulnerable
to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against
RSA, which when exploited, may result in plaintext recovery of encrypted
messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not
having gained access to the server's private key itself. (CVE-2017-6168)
This vulnerability is also known as the ROBOT attack.
Impact
Exploiting this vulnerability to perform plaintext recovery of encrypted
messages will, in most practical cases, allow an attacker to read the plaintext
only after the session has completed. Only TLS sessions established using RSA
key exchange are vulnerable to this attack.
Exploiting this vulnerability to conduct a MiTM attack requires the attacker to
complete the initial attack, which may require millions of server requests,
during the handshake phase of the targeted session within the window of the
configured handshake timeout. This attack may be conducted against any TLS
session using RSA signatures, but only if cipher suites using RSA key exchange
are also enabled on the virtual server. The limited window of opportunity,
limitations in bandwidth, and latency make this attack significantly more
difficult to execute.
This vulnerability affects BIG-IP systems with the following configuration:
o A virtual server associated with a Client SSL profile with RSA key exchange
enabled; RSA key exchange is enabled by default. Captured TLS sessions
encrypted with ephemeral cipher suites (DHE or ECDHE) are not at risk for
subsequent decryption due to this vulnerability.
Important:
Virtual servers configured with a Client SSL profile with the Generic Alert
option disabled (enabled by default) are at higher risk because they report the
specific handshake failure instead of a generic message.
Virtual servers configured with a Client SSL profile that has the Client
Certificate option under the Client Authentication section set to require will
limit the threat to attackers that are able to successfully authenticate first.
Without client certificate authentication, this attack is unauthenticated
and anonymous.
Virtual servers that have completely disabled RSA Key Exchange cipher suites
within the Client SSL profile (for example, cipher string DEFAULT:!RSA) are NOT
impacted by this vulnerability.
BIG-IP Configuration utility, iControl services, big3d collection agent, and
Centralized Management Infrastructure (CMI) connections are NOT impacted by
this vulnerability.
Captured traffic from sessions using Perfect Forward Secrecy (PFS) cipher
suites (DHE or ECDHE) cannot be decrypted due to this vulnerability.
This vulnerability is not an RSA private key recovery attack and does not
compromise the server's private key.
Security Advisory Status
F5 Product Development has assigned ID 693211 (BIG-IP) to this vulnerability.
Additionally, BIG-IP iHealth may list Heuristic H21905460 on the Diagnostics >
Identified > Critical screen.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
+--------------+-----------+-------------+-----------+------+-----------------+
| |Versions |Versions | |CVSSv3|Vulnerable |
|Product |known to be|known to be |Severity |score^|component or |
| |vulnerable |not | |1 |feature |
| | |vulnerable | | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| |13.0.0 - |13.0.0 HF3 | | | |
| |13.1.0 |12.1.2 HF2 | | |Client SSL |
|BIG-IP LTM |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA|
| |12.1.2 |11.5.1-11.5.5| | |key exchange |
| |11.6.0 - |11.2.1 | | |enabled |
| |11.6.2 | | | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| |13.0.0 - |13.0.0 HF3 | | | |
| |13.1.0 |12.1.2 HF2 | | |Client SSL |
|BIG-IP AAM |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA|
| |12.1.2 |11.5.1 - | | |key exchange |
| |11.6.0 - |11.5.5 | | |enabled |
| |11.6.2 | | | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| |13.0.0 - |13.0.0 HF3 | | | |
| |13.1.0 |12.1.2 HF2 | | |Client SSL |
|BIG-IP AFM |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA|
| |12.1.2 |11.5.1 - | | |key exchange |
| |11.6.0 - |11.5.5 | | |enabled |
| |11.6.2 | | | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| |13.0.0 - |13.0.0 HF3 | | | |
| |13.1.0 |12.1.2 HF2 | | |Client SSL |
|BIG-IP |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA|
|Analytics |12.1.2 |11.5.1 - | | |key exchange |
| |11.6.0 - |11.5.5 | | |enabled |
| |11.6.2 |11.2.1 | | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| |13.0.0 - |13.0.0 HF3 | | | |
| |13.1.0 |12.1.2 HF2 | | |Client SSL |
|BIG-IP APM |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA|
| |12.1.2 |11.5.1 - | | |key exchange |
| |11.6.0 - |11.5.5 | | |enabled |
| |11.6.2 |11.2.1 | | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| |13.0.0 - |13.0.0 HF3 | | | |
| |13.1.0 |12.1.2 HF2 | | |Client SSL |
|BIG-IP ASM |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA|
| |12.1.2 |11.5.1 - | | |key exchange |
| |11.6.0 - |11.5.5 | | |enabled |
| |11.6.2 |11.2.1 | | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| | |13.0.0 - |Not | | |
|BIG-IP DNS |None |13.1.0 |vulnerable^|None |None |
| | |12.0.0 - |2 | | |
| | |12.1.2 | | | |
+--------------+-----------+-------------+-----------+------+-----------------+
|BIG-IP Edge |None |11.2.1 |Not |None |None |
|Gateway | | |vulnerable | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| | |11.6.0 - | | | |
| | |11.6.2 |Not | | |
|BIG-IP GTM |None |11.5.1 - |vulnerable^|None |None |
| | |11.5.5 |2 | | |
| | |11.2.1 | | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| |13.0.0 - |13.0.0 HF3 | | | |
| |13.1.0 |12.1.2 HF2 | | |Client SSL |
|BIG-IP Link |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA|
|Controller |12.1.2 |11.5.1 - | | |key exchange |
| |11.6.0 - |11.5.5 | | |enabled |
| |11.6.2 |11.2.1 | | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| |13.0.0 - |13.0.0 HF3 | | | |
| |13.1.0 |12.1.2 HF2 | | |Client SSL |
|BIG-IP PEM |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA|
| |12.1.2 |11.5.1 - | | |key exchange |
| |11.6.0 - |11.5.5 | | |enabled |
| |11.6.2 | | | | |
+--------------+-----------+-------------+-----------+------+-----------------+
|BIG-IP |None |11.2.1 |Not |None |None |
|WebAccelerator| | |vulnerable | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| |13.0.0 - | | | |Client SSL |
| |13.1.0 |13.0.0 HF3 | | |profiles with RSA|
|F5 WebSafe |12.0.0 - |12.1.2 HF2 |Critical |9.1 |key exchange |
| |12.1.2 |11.6.2 HF1 | | |enabled |
| |11.6.2 | | | | |
+--------------+-----------+-------------+-----------+------+-----------------+
|Enterprise | | |Not | | |
|Manager |None |3.1.1 |vulnerable^|None |None |
| | | |2 | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| | | |Not | | |
|BIG-IQ Cloud |None |4.4.0 - 4.5.0|vulnerable^|None |None |
| | | |2 | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| | | |Not | | |
|BIG-IQ Device |None |4.4.0 - 4.5.0|vulnerable^|None |None |
| | | |2 | | |
+--------------+-----------+-------------+-----------+------+-----------------+
|BIG-IQ | | |Not | | |
|Security |None |4.4.0 - 4.5.0|vulnerable^|None |None |
| | | |2 | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| | | |Not | | |
|BIG-IQ ADC |None |4.5.0 |vulnerable^|None |None |
| | | |2 | | |
+--------------+-----------+-------------+-----------+------+-----------------+
|BIG-IQ | |5.0.0 - 5.3.0|Not | | |
|Centralized |None |4.6.0 |vulnerable^|None |None |
|Management | | |2 | | |
+--------------+-----------+-------------+-----------+------+-----------------+
|BIG-IQ Cloud | | |Not | | |
|and |None |1.0.0 |vulnerable^|None |None |
|Orchestration | | |2 | | |
+--------------+-----------+-------------+-----------+------+-----------------+
| | | |Not | | |
|F5 iWorkflow |None |2.0.0 - 2.3.0|vulnerable^|None |None |
| | | |2 | | |
+--------------+-----------+-------------+-----------+------+-----------------+
|LineRate |None |2.5.0 - 2.6.2|Not |None |None |
| | | |vulnerable | | |
+--------------+-----------+-------------+-----------+------+-----------------+
|Traffix SDC |None |5.0.0 - 5.1.0|Not |None |None |
| | |4.0.0 - 4.4.0|vulnerable | | |
+--------------+-----------+-------------+-----------+------+-----------------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
^2 The specified products contain the affected code. However, F5 identifies the
vulnerability status as Not vulnerable because the attacker cannot exploit the
code in default, standard, or recommended configurations.
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.
BIG-IP cloud images are posted to their respective market places as rapidly as
the providers' processes allow. For an immediate resolution, BIG-IP cloud
customers can perform a standard Live Install of ISO images located on the F5
Downloads site to resolve this issue prior to marketplace images being made
available.
Mitigation
F5 strongly recommends that you upgrade to a non-vulnerable version because it
is the only full resolution of this issue.
If upgrading to a non-vulnerable version is not an option, you may consider the
following mitigations:
o Disabling RSA key exchange in Client SSL profile
Important: You should only consider the following two options to provide
partial mitigation if you are unable to upgrade to a non-vulnerable version
or disable RSA key exchange in your environment.
o Lowering the Client SSL Handshake Timeout
o Rate limiting iRule
Disabling RSA key exchange in Client SSL profile
Mitigation level: Full
Disabling RSA key exchange from the affected Client SSL profile will prevent
attackers from exploiting this vulnerability in any way.
Impact of action: Disabling cipher suites that rely on RSA key exchange may
affect clients that do not support newer alternatives, such as DHE and ECDHE
for key exchange. Such legacy clients include, but are not limited to,
Microsoft Internet Explorer 6 on any platform, Microsoft Internet Explorer 8 on
Windows XP, and potentially non-browser user agents, such as embedded clients.
F5 recommends testing configuration changes in an appropriate environment
before deploying to production.
Note: Disabling RSA key exchange cipher suites causes client connection
requests to fall back to the DH(E) or ECDH(E) key exchange protocols. The DH
protocol is hardware accelerated on all platforms and software versions.
However, the ECDH protocol is not hardware accelerated on all platforms and
versions. On systems where ECDH is not hardware accelerated, ECDH and ECDHE
will be performed in software and may result in increased CPU usage. The
increase in CPU usage will vary depending on the environment. In some
environments, the usage increase may be significant. For more information,
refer to K13213: SSL algorithms that are hardware accelerated (11.x - 12.x).
To remove cipher suites using RSA key exchange, you must modify the cipher
string in the Client SSL profile to include !RSA, which is the RSA cipher with
a preceding exclamation (!) character. For example, if you are using the
default ciphers (DEFAULT) in the Client SSL profile, you should modify it to
the following cipher string:
DEFAULT:!RSA
Removing RSA key exchange will reduce the total number of available cipher
suites. You can check which cipher suites are available after disabling RSA key
exchange by typing the following command:
tmm --clientciphers '<your cipher string>'
For example:
tmm --clientciphers 'DEFAULT:!RSA'
The command output appears similar to the following truncated sample; output
varies depending on the BIG-IP version:
ID SUITE BITS PROT METHOD CIPHER
MAC KEYX
0: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM
SHA256 ECDHE_RSA
1: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES
SHA ECDHE_RSA
2: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES
SHA ECDHE_RSA
3: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES
SHA ECDHE_RSA
Note: With RSA key exchange disabled, you should still see EDH/RSA and/or
ECDHE_RSA in the KEYX column. The RSA here refers to the signature algorithm
and not the key exchange algorithm, which is DHE or ECDHE, respectively. You
should not see RSA in the KEYX column by itself, as this would be RSA key
exchange. For more information about the components in a cipher suite, refer to
K15194: Overview of the BIG-IP SSL/TLS cipher suite.
Test RSA cipher string removal using the openssl command. For example, the
following commands should yield failures:
openssl s_client -connect 192.168.1.171:443 -cipher 'AES256-SHA'
openssl s_client -connect 192.168.1.171:443 -cipher 'AES128-SHA256'
Replace 192.168.1.171:443 with the IP address and Secure Sockets Layer (SSL)
port of your virtual server address and port.
For information about configuring the cipher string for the Client SSL profile,
refer to the Configuring the SSL profile to block a specific SSL protocol
procedure in the following articles appropriate for your BIG-IP version:
o K17370: Configuring the cipher strength for SSL profiles (12.x - 13.x)
o K13171: Configuring the cipher strength for SSL profiles (11.x)
Lowering the Client SSL Handshake Timeout
Important: You should only consider performing this procedure to provide
partial mitigation if you are unable to upgrade to a non-vulnerable version or
disable RSA key exchange in your environment.
Mitigation level: Partial
Lowering the value of the Handshake Timeout setting of the affected Client SSL
profile (default is 10 seconds) is only effective against MiTM attacks related
to this vulnerability and will greatly reduce the window of opportunity for a
successful MiTM attack. The analysis performed by F5 suggests a value of
6 seconds may be an effective limit, but the needs of each network may differ.
To lower the value, perform the following procedure:
Impact of action: Depending on your application environment, reducing the
Client SSL profile Handshake Timeout setting may affect your application. You
should review your specific client requirements for your application
environment to account for clients which may need a longer time to establish a
connection.
1. Log in to the Configuration utility.
2. Navigate to Local Traffic > Profiles > SSL > Client.
3. Select the affected Client SSL profile.
4. For the Configuration section, select Advanced.
5. Locate and check the Handshake Timeout setting.
6. Modify the value to suit your application environment.
7. To save the changes, click Update.
8. Repeat for the remaining affected Client SSL profiles.
Rate limiting iRule
Important: You should only consider performing this procedure to provide
partial mitigation if you are unable to upgrade to a non-vulnerable version or
disable RSA key exchange in your environment.
Mitigation level: Partial
Rate limiting the attack traffic makes the attack less practical, but it does
not eliminate the possibility of a successful MiTM attack. The following iRule
will rate-limit IP addresses initiating failed SSL handshakes, significantly
increasing the time it takes to exploit this vulnerability and making the
attack less practical.
Impact of action: This iRule applies blocking based on source IP addresses. In
an environment where the client traffic transits through a NAT device, you must
evaluate and configure an appropriate threshold for the maxhx variable within
the iRule. Additionally, adding an iRule will increase the resources used by
the associated virtual server. Depending on the type and volume of the
connections, this processing may introduce noticeable latency. F5 recommends
testing any such changes in an appropriate environment.
# CVE-2017-6168_mitigation - handshake attack countermeasure
#
# This iRule detects and rejects SSL handshake attacks associated with
CVE-2017-6168
# If any IP address starts maxhx variable (default of 5) consecutive SSL
connections
# without completing the handshake, it gets blocked for 180 seconds (the
default table
# timeout)
#
proc debugmsg { str } {
if { $static::debug_me } {
log local0.info $str
}
}
when RULE_INIT {
# max no. of handshakes started to be allowed
set static::maxhx 5
# log debug info?
set static::debug_me false
# various states that a connection can be in
set static::state_accepted 0
set static::state_ssl_started 1
set static::state_sent_data 2
}
when CLIENT_ACCEPTED {
set cstate $static::state_accepted
set hx [table lookup -notouch [IP::client_addr]]
if { $hx >= $static::maxhx } {
if { $static::debug_me } {
set te [table timeout -remaining [IP::client_addr]]
call debugmsg "[IP::client_addr] BLACKLISTED for $te more seconds"
}
# A drop will slow down the client, but the client will still send
# the ChangeCipherSpec message and that which will chew up our processing
# resources. Send a reject instead, which will decrease the turnaround time.
reject
}
}
when CLIENTSSL_CLIENTHELLO {
set cstate $static::state_ssl_started
call debugmsg "clienthello received [IP::client_addr]"
}
when CLIENTSSL_HANDSHAKE {
# Any successful connection from that IP and will "clear" the table
if { $cstate == $static::state_ssl_started } {
table delete [IP::client_addr]
set cstate $static::state_sent_data
call debugmsg "client request started, clearing table [IP::client_addr]"
}
}
when CLIENT_CLOSED {
if { $cstate == $static::state_ssl_started } {
call debugmsg "HANDSHAKE ATTACK PROBABLE [IP::client_addr]"
if { [table incr [IP::client_addr]] == $static::maxhx } {
log local0.alert "Handshake attack underway, blocking [IP::client_addr] for 180
seconds."
}
}
else {
call debugmsg "closing conn [IP::client_addr] state = $cstate"
}
}
Acknowledgements
F5 would like to acknowledge Hanno Bock, Juraj Somorovsky of Ruhr-Universitat
Bochum / Hackmanit GmbH, and Craig Young of Tripwire VERT for bringing this
issue to our attention.
Supplemental Information
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K167: Downloading software and firmware from F5
o K13123: Managing BIG-IP product hotfixes (11.x - 13.x)
o K9502: BIG-IP hotfix matrix
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWkrXcox+lLeg9Ub1AQgN9RAAo6V9pFqhGgjFva2+9/r1RHudCr41Zaxg
f/IdL/Dxb3cG8/65s9j4kXPUuxR/AAYDNj5PpjrPGLUxeLikFPo69psVEL1Vis0b
KDoSyW9WjKxqqq43liyeEdFU7DXtpxLXgwy7/BqKfHF1Eo/B0YseiziY9Dsy8SJl
AfHr1vv6dlrwKP54DfBCUPOSbdsjd3ikWeN2TFww0Yf1x2VdeT/wGN3GcBIgKu9U
pceTgs8drifgm0FLWa2jIFp6ikclx7dr/yl9LjK0p3yHkLbRSc2JuRYddQh7JxD5
dgs4PjlzHD/1nlgU24ftxdZS6KcEPDFQcouZqMONJV9bs1tLjKflwewqcYOKp1/Z
Dz0ugezmEnPy1N5vw83A5/U7ShSkk9CGe5CAA/XvJh92Q69e0JMtimL2a8aw1dE6
7DjNl4c00zChqRPi238E5MsdMLV5EpDfFRRjwJfTcIAXDS6x9vG3jUaLnXXUsno1
Oox2BGu8Dcn6eL2hV3Hdovg7FY5pK0DjZsOtfoM5vFmmMGR1l+JdSZehzi/YEpSK
ifJA4Px5sHkdkG2k9ZBbW/Gi26ObjwcPN4p0BfTDHch7AEWDd0vTGFRnoMzqGkns
KLcEmv195PXcSqiOQYtMQ1KHR5tR49KgaBUyC0rc2+Yny3230F4WNmUeRMDOormX
qJRYQM+lY+k=
=08eg
-----END PGP SIGNATURE-----