Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2969.2 BIG-IP SSL Vulnerability 2 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP Publisher: F5 Networks Operating System: Virtualisation Impact/Access: Access Privileged Data -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-6168 Original Bulletin: https://support.f5.com/csp/article/K21905460 Revision History: January 2 2018: Updated Advisory from F5 Networks November 20 2017: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K21905460: BIG-IP SSL vulnerability (ROBOT) CVE-2017-6168 Security Advisory Original Publication Date: Nov 18, 2017 Updated Date: Dec 28, 2017 Security Advisory Description A BIG-IP virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server's private key itself. (CVE-2017-6168) This vulnerability is also known as the ROBOT attack. Impact Exploiting this vulnerability to perform plaintext recovery of encrypted messages will, in most practical cases, allow an attacker to read the plaintext only after the session has completed. Only TLS sessions established using RSA key exchange are vulnerable to this attack. Exploiting this vulnerability to conduct a MiTM attack requires the attacker to complete the initial attack, which may require millions of server requests, during the handshake phase of the targeted session within the window of the configured handshake timeout. This attack may be conducted against any TLS session using RSA signatures, but only if cipher suites using RSA key exchange are also enabled on the virtual server. The limited window of opportunity, limitations in bandwidth, and latency make this attack significantly more difficult to execute. This vulnerability affects BIG-IP systems with the following configuration: o A virtual server associated with a Client SSL profile with RSA key exchange enabled; RSA key exchange is enabled by default. Captured TLS sessions encrypted with ephemeral cipher suites (DHE or ECDHE) are not at risk for subsequent decryption due to this vulnerability. Important: Virtual servers configured with a Client SSL profile with the Generic Alert option disabled (enabled by default) are at higher risk because they report the specific handshake failure instead of a generic message. Virtual servers configured with a Client SSL profile that has the Client Certificate option under the Client Authentication section set to require will limit the threat to attackers that are able to successfully authenticate first. Without client certificate authentication, this attack is unauthenticated and anonymous. Virtual servers that have completely disabled RSA Key Exchange cipher suites within the Client SSL profile (for example, cipher string DEFAULT:!RSA) are NOT impacted by this vulnerability. BIG-IP Configuration utility, iControl services, big3d collection agent, and Centralized Management Infrastructure (CMI) connections are NOT impacted by this vulnerability. Captured traffic from sessions using Perfect Forward Secrecy (PFS) cipher suites (DHE or ECDHE) cannot be decrypted due to this vulnerability. This vulnerability is not an RSA private key recovery attack and does not compromise the server's private key. Security Advisory Status F5 Product Development has assigned ID 693211 (BIG-IP) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H21905460 on the Diagnostics > Identified > Critical screen. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: +--------------+-----------+-------------+-----------+------+-----------------+ | |Versions |Versions | |CVSSv3|Vulnerable | |Product |known to be|known to be |Severity |score^|component or | | |vulnerable |not | |1 |feature | | | |vulnerable | | | | +--------------+-----------+-------------+-----------+------+-----------------+ | |13.0.0 - |13.0.0 HF3 | | | | | |13.1.0 |12.1.2 HF2 | | |Client SSL | |BIG-IP LTM |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA| | |12.1.2 |11.5.1-11.5.5| | |key exchange | | |11.6.0 - |11.2.1 | | |enabled | | |11.6.2 | | | | | +--------------+-----------+-------------+-----------+------+-----------------+ | |13.0.0 - |13.0.0 HF3 | | | | | |13.1.0 |12.1.2 HF2 | | |Client SSL | |BIG-IP AAM |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA| | |12.1.2 |11.5.1 - | | |key exchange | | |11.6.0 - |11.5.5 | | |enabled | | |11.6.2 | | | | | +--------------+-----------+-------------+-----------+------+-----------------+ | |13.0.0 - |13.0.0 HF3 | | | | | |13.1.0 |12.1.2 HF2 | | |Client SSL | |BIG-IP AFM |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA| | |12.1.2 |11.5.1 - | | |key exchange | | |11.6.0 - |11.5.5 | | |enabled | | |11.6.2 | | | | | +--------------+-----------+-------------+-----------+------+-----------------+ | |13.0.0 - |13.0.0 HF3 | | | | | |13.1.0 |12.1.2 HF2 | | |Client SSL | |BIG-IP |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA| |Analytics |12.1.2 |11.5.1 - | | |key exchange | | |11.6.0 - |11.5.5 | | |enabled | | |11.6.2 |11.2.1 | | | | +--------------+-----------+-------------+-----------+------+-----------------+ | |13.0.0 - |13.0.0 HF3 | | | | | |13.1.0 |12.1.2 HF2 | | |Client SSL | |BIG-IP APM |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA| | |12.1.2 |11.5.1 - | | |key exchange | | |11.6.0 - |11.5.5 | | |enabled | | |11.6.2 |11.2.1 | | | | +--------------+-----------+-------------+-----------+------+-----------------+ | |13.0.0 - |13.0.0 HF3 | | | | | |13.1.0 |12.1.2 HF2 | | |Client SSL | |BIG-IP ASM |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA| | |12.1.2 |11.5.1 - | | |key exchange | | |11.6.0 - |11.5.5 | | |enabled | | |11.6.2 |11.2.1 | | | | +--------------+-----------+-------------+-----------+------+-----------------+ | | |13.0.0 - |Not | | | |BIG-IP DNS |None |13.1.0 |vulnerable^|None |None | | | |12.0.0 - |2 | | | | | |12.1.2 | | | | +--------------+-----------+-------------+-----------+------+-----------------+ |BIG-IP Edge |None |11.2.1 |Not |None |None | |Gateway | | |vulnerable | | | +--------------+-----------+-------------+-----------+------+-----------------+ | | |11.6.0 - | | | | | | |11.6.2 |Not | | | |BIG-IP GTM |None |11.5.1 - |vulnerable^|None |None | | | |11.5.5 |2 | | | | | |11.2.1 | | | | +--------------+-----------+-------------+-----------+------+-----------------+ | |13.0.0 - |13.0.0 HF3 | | | | | |13.1.0 |12.1.2 HF2 | | |Client SSL | |BIG-IP Link |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA| |Controller |12.1.2 |11.5.1 - | | |key exchange | | |11.6.0 - |11.5.5 | | |enabled | | |11.6.2 |11.2.1 | | | | +--------------+-----------+-------------+-----------+------+-----------------+ | |13.0.0 - |13.0.0 HF3 | | | | | |13.1.0 |12.1.2 HF2 | | |Client SSL | |BIG-IP PEM |12.0.0 - |11.6.2 HF1 |Critical |9.1 |profiles with RSA| | |12.1.2 |11.5.1 - | | |key exchange | | |11.6.0 - |11.5.5 | | |enabled | | |11.6.2 | | | | | +--------------+-----------+-------------+-----------+------+-----------------+ |BIG-IP |None |11.2.1 |Not |None |None | |WebAccelerator| | |vulnerable | | | +--------------+-----------+-------------+-----------+------+-----------------+ | |13.0.0 - | | | |Client SSL | | |13.1.0 |13.0.0 HF3 | | |profiles with RSA| |F5 WebSafe |12.0.0 - |12.1.2 HF2 |Critical |9.1 |key exchange | | |12.1.2 |11.6.2 HF1 | | |enabled | | |11.6.2 | | | | | +--------------+-----------+-------------+-----------+------+-----------------+ |Enterprise | | |Not | | | |Manager |None |3.1.1 |vulnerable^|None |None | | | | |2 | | | +--------------+-----------+-------------+-----------+------+-----------------+ | | | |Not | | | |BIG-IQ Cloud |None |4.4.0 - 4.5.0|vulnerable^|None |None | | | | |2 | | | +--------------+-----------+-------------+-----------+------+-----------------+ | | | |Not | | | |BIG-IQ Device |None |4.4.0 - 4.5.0|vulnerable^|None |None | | | | |2 | | | +--------------+-----------+-------------+-----------+------+-----------------+ |BIG-IQ | | |Not | | | |Security |None |4.4.0 - 4.5.0|vulnerable^|None |None | | | | |2 | | | +--------------+-----------+-------------+-----------+------+-----------------+ | | | |Not | | | |BIG-IQ ADC |None |4.5.0 |vulnerable^|None |None | | | | |2 | | | +--------------+-----------+-------------+-----------+------+-----------------+ |BIG-IQ | |5.0.0 - 5.3.0|Not | | | |Centralized |None |4.6.0 |vulnerable^|None |None | |Management | | |2 | | | +--------------+-----------+-------------+-----------+------+-----------------+ |BIG-IQ Cloud | | |Not | | | |and |None |1.0.0 |vulnerable^|None |None | |Orchestration | | |2 | | | +--------------+-----------+-------------+-----------+------+-----------------+ | | | |Not | | | |F5 iWorkflow |None |2.0.0 - 2.3.0|vulnerable^|None |None | | | | |2 | | | +--------------+-----------+-------------+-----------+------+-----------------+ |LineRate |None |2.5.0 - 2.6.2|Not |None |None | | | | |vulnerable | | | +--------------+-----------+-------------+-----------+------+-----------------+ |Traffix SDC |None |5.0.0 - 5.1.0|Not |None |None | | | |4.0.0 - 4.4.0|vulnerable | | | +--------------+-----------+-------------+-----------+------+-----------------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. ^2 The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. BIG-IP cloud images are posted to their respective market places as rapidly as the providers' processes allow. For an immediate resolution, BIG-IP cloud customers can perform a standard Live Install of ISO images located on the F5 Downloads site to resolve this issue prior to marketplace images being made available. Mitigation F5 strongly recommends that you upgrade to a non-vulnerable version because it is the only full resolution of this issue. If upgrading to a non-vulnerable version is not an option, you may consider the following mitigations: o Disabling RSA key exchange in Client SSL profile Important: You should only consider the following two options to provide partial mitigation if you are unable to upgrade to a non-vulnerable version or disable RSA key exchange in your environment. o Lowering the Client SSL Handshake Timeout o Rate limiting iRule Disabling RSA key exchange in Client SSL profile Mitigation level: Full Disabling RSA key exchange from the affected Client SSL profile will prevent attackers from exploiting this vulnerability in any way. Impact of action: Disabling cipher suites that rely on RSA key exchange may affect clients that do not support newer alternatives, such as DHE and ECDHE for key exchange. Such legacy clients include, but are not limited to, Microsoft Internet Explorer 6 on any platform, Microsoft Internet Explorer 8 on Windows XP, and potentially non-browser user agents, such as embedded clients. F5 recommends testing configuration changes in an appropriate environment before deploying to production. Note: Disabling RSA key exchange cipher suites causes client connection requests to fall back to the DH(E) or ECDH(E) key exchange protocols. The DH protocol is hardware accelerated on all platforms and software versions. However, the ECDH protocol is not hardware accelerated on all platforms and versions. On systems where ECDH is not hardware accelerated, ECDH and ECDHE will be performed in software and may result in increased CPU usage. The increase in CPU usage will vary depending on the environment. In some environments, the usage increase may be significant. For more information, refer to K13213: SSL algorithms that are hardware accelerated (11.x - 12.x). To remove cipher suites using RSA key exchange, you must modify the cipher string in the Client SSL profile to include !RSA, which is the RSA cipher with a preceding exclamation (!) character. For example, if you are using the default ciphers (DEFAULT) in the Client SSL profile, you should modify it to the following cipher string: DEFAULT:!RSA Removing RSA key exchange will reduce the total number of available cipher suites. You can check which cipher suites are available after disabling RSA key exchange by typing the following command: tmm --clientciphers '<your cipher string>' For example: tmm --clientciphers 'DEFAULT:!RSA' The command output appears similar to the following truncated sample; output varies depending on the BIG-IP version: ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 1: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 2: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 3: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA Note: With RSA key exchange disabled, you should still see EDH/RSA and/or ECDHE_RSA in the KEYX column. The RSA here refers to the signature algorithm and not the key exchange algorithm, which is DHE or ECDHE, respectively. You should not see RSA in the KEYX column by itself, as this would be RSA key exchange. For more information about the components in a cipher suite, refer to K15194: Overview of the BIG-IP SSL/TLS cipher suite. Test RSA cipher string removal using the openssl command. For example, the following commands should yield failures: openssl s_client -connect 192.168.1.171:443 -cipher 'AES256-SHA' openssl s_client -connect 192.168.1.171:443 -cipher 'AES128-SHA256' Replace 192.168.1.171:443 with the IP address and Secure Sockets Layer (SSL) port of your virtual server address and port. For information about configuring the cipher string for the Client SSL profile, refer to the Configuring the SSL profile to block a specific SSL protocol procedure in the following articles appropriate for your BIG-IP version: o K17370: Configuring the cipher strength for SSL profiles (12.x - 13.x) o K13171: Configuring the cipher strength for SSL profiles (11.x) Lowering the Client SSL Handshake Timeout Important: You should only consider performing this procedure to provide partial mitigation if you are unable to upgrade to a non-vulnerable version or disable RSA key exchange in your environment. Mitigation level: Partial Lowering the value of the Handshake Timeout setting of the affected Client SSL profile (default is 10 seconds) is only effective against MiTM attacks related to this vulnerability and will greatly reduce the window of opportunity for a successful MiTM attack. The analysis performed by F5 suggests a value of 6 seconds may be an effective limit, but the needs of each network may differ. To lower the value, perform the following procedure: Impact of action: Depending on your application environment, reducing the Client SSL profile Handshake Timeout setting may affect your application. You should review your specific client requirements for your application environment to account for clients which may need a longer time to establish a connection. 1. Log in to the Configuration utility. 2. Navigate to Local Traffic > Profiles > SSL > Client. 3. Select the affected Client SSL profile. 4. For the Configuration section, select Advanced. 5. Locate and check the Handshake Timeout setting. 6. Modify the value to suit your application environment. 7. To save the changes, click Update. 8. Repeat for the remaining affected Client SSL profiles. Rate limiting iRule Important: You should only consider performing this procedure to provide partial mitigation if you are unable to upgrade to a non-vulnerable version or disable RSA key exchange in your environment. Mitigation level: Partial Rate limiting the attack traffic makes the attack less practical, but it does not eliminate the possibility of a successful MiTM attack. The following iRule will rate-limit IP addresses initiating failed SSL handshakes, significantly increasing the time it takes to exploit this vulnerability and making the attack less practical. Impact of action: This iRule applies blocking based on source IP addresses. In an environment where the client traffic transits through a NAT device, you must evaluate and configure an appropriate threshold for the maxhx variable within the iRule. Additionally, adding an iRule will increase the resources used by the associated virtual server. Depending on the type and volume of the connections, this processing may introduce noticeable latency. F5 recommends testing any such changes in an appropriate environment. # CVE-2017-6168_mitigation - handshake attack countermeasure # # This iRule detects and rejects SSL handshake attacks associated with CVE-2017-6168 # If any IP address starts maxhx variable (default of 5) consecutive SSL connections # without completing the handshake, it gets blocked for 180 seconds (the default table # timeout) # proc debugmsg { str } { if { $static::debug_me } { log local0.info $str } } when RULE_INIT { # max no. of handshakes started to be allowed set static::maxhx 5 # log debug info? set static::debug_me false # various states that a connection can be in set static::state_accepted 0 set static::state_ssl_started 1 set static::state_sent_data 2 } when CLIENT_ACCEPTED { set cstate $static::state_accepted set hx [table lookup -notouch [IP::client_addr]] if { $hx >= $static::maxhx } { if { $static::debug_me } { set te [table timeout -remaining [IP::client_addr]] call debugmsg "[IP::client_addr] BLACKLISTED for $te more seconds" } # A drop will slow down the client, but the client will still send # the ChangeCipherSpec message and that which will chew up our processing # resources. Send a reject instead, which will decrease the turnaround time. reject } } when CLIENTSSL_CLIENTHELLO { set cstate $static::state_ssl_started call debugmsg "clienthello received [IP::client_addr]" } when CLIENTSSL_HANDSHAKE { # Any successful connection from that IP and will "clear" the table if { $cstate == $static::state_ssl_started } { table delete [IP::client_addr] set cstate $static::state_sent_data call debugmsg "client request started, clearing table [IP::client_addr]" } } when CLIENT_CLOSED { if { $cstate == $static::state_ssl_started } { call debugmsg "HANDSHAKE ATTACK PROBABLE [IP::client_addr]" if { [table incr [IP::client_addr]] == $static::maxhx } { log local0.alert "Handshake attack underway, blocking [IP::client_addr] for 180 seconds." } } else { call debugmsg "closing conn [IP::client_addr] state = $cstate" } } Acknowledgements F5 would like to acknowledge Hanno Bock, Juraj Somorovsky of Ruhr-Universitat Bochum / Hackmanit GmbH, and Craig Young of Tripwire VERT for bringing this issue to our attention. Supplemental Information o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K167: Downloading software and firmware from F5 o K13123: Managing BIG-IP product hotfixes (11.x - 13.x) o K9502: BIG-IP hotfix matrix - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWkrXcox+lLeg9Ub1AQgN9RAAo6V9pFqhGgjFva2+9/r1RHudCr41Zaxg f/IdL/Dxb3cG8/65s9j4kXPUuxR/AAYDNj5PpjrPGLUxeLikFPo69psVEL1Vis0b KDoSyW9WjKxqqq43liyeEdFU7DXtpxLXgwy7/BqKfHF1Eo/B0YseiziY9Dsy8SJl AfHr1vv6dlrwKP54DfBCUPOSbdsjd3ikWeN2TFww0Yf1x2VdeT/wGN3GcBIgKu9U pceTgs8drifgm0FLWa2jIFp6ikclx7dr/yl9LjK0p3yHkLbRSc2JuRYddQh7JxD5 dgs4PjlzHD/1nlgU24ftxdZS6KcEPDFQcouZqMONJV9bs1tLjKflwewqcYOKp1/Z Dz0ugezmEnPy1N5vw83A5/U7ShSkk9CGe5CAA/XvJh92Q69e0JMtimL2a8aw1dE6 7DjNl4c00zChqRPi238E5MsdMLV5EpDfFRRjwJfTcIAXDS6x9vG3jUaLnXXUsno1 Oox2BGu8Dcn6eL2hV3Hdovg7FY5pK0DjZsOtfoM5vFmmMGR1l+JdSZehzi/YEpSK ifJA4Px5sHkdkG2k9ZBbW/Gi26ObjwcPN4p0BfTDHch7AEWDd0vTGFRnoMzqGkns KLcEmv195PXcSqiOQYtMQ1KHR5tR49KgaBUyC0rc2+Yny3230F4WNmUeRMDOormX qJRYQM+lY+k= =08eg -----END PGP SIGNATURE-----