Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1944.2 K29146534: SBB Variant 4 vulnerability CVE-2018-3639 1 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP products F5 Enterprise Manager F5 BIG-IQ products F5 iWorkflow F5 Traffix SDC Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Access Privileged Data -- Existing Account Resolution: None CVE Names: CVE-2018-3639 Reference: ASB-2018.0121 Original Bulletin: https://support.f5.com/csp/article/K29146534 Revision History: November 1 2018: Additional vulnerable version of BIG-IP products identified July 4 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K29146534: SBB Variant 4 vulnerability CVE-2018-3639 Security Advisory Original Publication Date: Jul 04, 2018 Updated Date: Nov 01, 2018 Security Advisory Description Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (CVE-2018-3639) Impact All exposure is limited to the control plane, also known as the management plane. There is no exposure on BIG-IP products by way of the data plane. Additionally, on the control plane, the vulnerabilities are exploitable only by the following four authorized, authenticated account roles: Administrator, Resource Administrator, Manager, and iRules Manager. An attacker must be authorized to access the system in one of these roles to attempt to exploit the vulnerabilities. This vulnerability requires an attacker who can provide and run binary code of their choosing on the BIG-IP platform. As a result, these conditions severely restrict the exposure risk of BIG-IP products. Single-tenancy products For single-tenancy products, such as a standalone BIG-IP device, the risk is limited to a local, authorized user employing one of the vulnerabilities to read information from memory that they would not normally access, exceeding their privileges. A user may be able to access kernel-space memory, instead of their own user-space. Multi-tenancy environments For multi-tenancy environments, such as cloud, Virtual Edition (VE), and Virtual Clustered Multiprocessing (vCMP), the same local kernel memory access risk applies as in single-tenancy environments. Additionally, there is a risk of attacks across guests, or attacks against the hypervisor or host. In cloud and VE environments, preventing these new attacks falls on the hypervisor or host platform, which is outside the scope of F5's ability to support or patch. Contact your cloud provider or hypervisor vendor to ensure their platforms or products are protected against Spectre variants. For vCMP environments, F5 believes that while the Spectre Variant attacks offer a theoretical possibility of guest-to-guest or guest-to-host attacks, these would be very difficult to successfully conduct in the BIG-IP environment. The primary risk in the vCMP environment with Spectre variants only exists when vCMP guests are configured to use a single core. If the vCMP guests are configured to use two or more cores, the Spectre Variant vulnerabilities are eliminated. Vulnerability research F5 is working with its hardware component vendors to determine the scope of vulnerabilities across its various generations of hardware platforms. All of the current information from F5's vendors is represented in this security advisory. F5 is working to obtain the remaining information from its vendors and will update the security advisory as F5 receives new information regarding its hardware platforms. F5 is also testing the fixes produced by the Linux community, and is conducting an extensive test campaign to characterize the impact of the fixes on system performance and stability to ensure a good experience for its customers. F5 does not want to rush the process and release fixes without a full understanding of potential issues. Given the limited exposure, the complexity of the fixes, and the potential issues, a detailed approach is warranted and rushing a fix could result in an impact to system stability or unacceptable performance costs. F5 will update this article with fixes as they become available. Security Advisory Status F5 Product Development has assigned IDs 721319, 721555, and 721556 (BIG-IP), ID 721949 (BIG-IQ), ID 721945 (Enterprise Manager), and CPF-24903 and CPF-24904 (Traffix) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |14.x |14.0.0 |None | | | | |BIG-IP (LTM, AAM, +------+----------+----------+ | | | |AFM, Analytics, |13.x |13.0.0 - |None | | | | |APM, ASM, DNS, Edge| |13.1.0 | | | |F5 | |Gateway, FPS, GTM, +------+----------+----------+Medium |5.6 |hardware | |Link Controller, |12.x |12.1.0 - |None | | |platforms*| |PEM, | |12.1.3 | | | | | |WebAccelerator) +------+----------+----------+ | | | | |11.x |11.2.1 - |None | | | | | | |11.6.3 | | | | | +-------------------+------+----------+----------+----------+------+----------+ |ARX |6.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ | | | | | | |F5 | |Enterprise Manager |3.x |3.1.1 |None |Medium |4.3 |hardware | | | | | | | |platforms*| +-------------------+------+----------+----------+----------+------+----------+ | |6.x |6.0.0 |None | | | | | +------+----------+----------+ | |F5 | |BIG-IQ Centralized |5.x |5.0.0 - |None |Medium |4.3 |hardware | |Management | |5.4.0 | | | |platforms*| | +------+----------+----------+ | | | | |4.x |4.6.0 |None | | | | +-------------------+------+----------+----------+----------+------+----------+ |BIG-IQ Cloud and | | | | | |F5 | |Orchestration |1.x |1.0.0 |None |Medium |4.3 |hardware | | | | | | | |platforms*| +-------------------+------+----------+----------+----------+------+----------+ | | |2.1.0 - | | | |F5 | |F5 iWorkflow |2.x |2.3.0 |None |Medium |4.3 |hardware | | | | | | | |platforms*| +-------------------+------+----------+----------+----------+------+----------+ | |5.x |5.0.0 - |None | | |F5 | |Traffix SDC | |5.1.0 | |Medium |5.6 |hardware | | +------+----------+----------+ | |platforms*| | |4.x |4.4.0 |None | | | | +-------------------+------+----------+----------+----------+------+----------+ ^1 The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. * For information about the affected hardware platforms, refer to the Vulnerable platforms section. Vulnerable platforms Some platforms may have processors from multiple vendors and may have a vulnerable ARM processor in one or more subsystems. F5 investigated the use of ARM processors and, while vulnerable processors are used, those processors do not handle privileged information; they are limited to running signed firmware from F5 with no capability to execute user-specified code. The following tables list only one entry for platform models that have several variants. For example, BIG-IP 11000, BIG-IP 11050, BIG-IP 11050F, and BIG-IP 11050N are all vulnerable and included in the table as "BIG-IP 110x0." BIG-IP +-------------+---------------+----------+ |Model |Processor types|Vulnerable| +-------------+---------------+----------+ |VIPRION B21x0|Intel |Y | +-------------+---------------+----------+ |VIPRION B2250|Intel |Y | +-------------+---------------+----------+ |VIPRION B4100|AMD |Y* | +-------------+---------------+----------+ |VIPRION B4200|AMD |Y* | +-------------+---------------+----------+ |VIPRION B43x0|Intel |Y | +-------------+---------------+----------+ |VIPRION B44x0|Intel |Y | +-------------+---------------+----------+ |BIG-IP 2xx0 |Intel |Y | +-------------+---------------+----------+ |BIG-IP 4xx0 |Intel |Y | +-------------+---------------+----------+ |BIG-IP 5xx0 |Intel |Y | +-------------+---------------+----------+ |BIG-IP 7xx0 |Intel |Y | +-------------+---------------+----------+ |BIG-IP 10xxx |Intel |Y | +-------------+---------------+----------+ |BIG-IP 12xx0 |Intel |Y | +-------------+---------------+----------+ |BIG-IP i2x00 |Intel, ARM |Y | +-------------+---------------+----------+ |BIG-IP i4x00 |Intel, ARM |Y | +-------------+---------------+----------+ |BIG-IP i5x00 |Intel, ARM |Y | +-------------+---------------+----------+ |BIG-IP i7x00 |Intel, ARM |Y | +-------------+---------------+----------+ |BIG-IP i10x00|Intel, ARM |Y | +-------------+---------------+----------+ |BIG-IP 800 |Intel |Y | +-------------+---------------+----------+ |BIG-IP 1600 |Intel |Y | +-------------+---------------+----------+ |BIG-IP 3600 |Intel |Y | +-------------+---------------+----------+ |BIG-IP 3900 |Intel |Y | +-------------+---------------+----------+ |BIG-IP 6900 |AMD |Y* | +-------------+---------------+----------+ |BIG-IP 89x0 |AMD |Y* | +-------------+---------------+----------+ |BIG-IP 110x0 |AMD |Y* | +-------------+---------------+----------+ |BIG-IP 6400 |AMD |Y* | +-------------+---------------+----------+ * F5 believes these platforms are vulnerable, but AMD has yet to confirm. AMD has not published plans to provide fixes for these CPUs. BIG-IQ, Enterprise Manager, FirePass, and ARX +-----------------------+--------------+----------+ |Model |Processor type|Vulnerable| +-----------------------+--------------+----------+ |BIG-IQ 7000 |Intel |Y | +-----------------------+--------------+----------+ |Enterprise Manager 4000|Intel |Y | +-----------------------+--------------+----------+ |FirePass 12xx |Intel |N | +-----------------------+--------------+----------+ |FirePass 41xx |AMD |Y* | +-----------------------+--------------+----------+ |FirePass 43xx |AMD |Y* | +-----------------------+--------------+----------+ |ARX 1500+ |Intel |Y | +-----------------------+--------------+----------+ |ARX 2500 |Intel |Y | +-----------------------+--------------+----------+ |ARX 4000/4000+ |Intel |Y | +-----------------------+--------------+----------+ * Intel and AMD have not responded to repeated requests for information about the processors in these platforms. Therefore, based on their general public statements, we must assume that they are vulnerable. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation None Supplemental Information o K51812227: Understanding Security Advisory versioning o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents o K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW9qEsWaOgq3Tt24GAQjdNBAApFjjtpkQEHCoSfRitSrSTuhJhNFG4me+ 0qTIukTlYuYIEwE4YWXRHErq2iWHIEIA3oy/gPuS0dwmsHXa/nh15YaGnC7KeiIE +ouKBK83t5UuDQf+pQX/mbgdUGEuNJMYtu63NEDE62nFjDMHAJQ7dtMCixYPK0yC 5D/3m92zFPej5UgrW1xKp+IrGHE/BrRTG2ihcOP77owgqTh4HGu8J+QzyiMvfU4H 9vsO5lMVVDjdrGwvMu8Kch9+iN9PnJAfE/z3wYkfijrsc3DkABeljYeD4Y3LOtvW MQpT+dT1cNHaSLaK4tsBF29erMLN4W7bWjIQpSAjyu9Zk/8E1RNZTiEWH9qrGeMa LTWdwkxAjziDmvSPdcuF4kUeOGFC3X3sj3TwaFRVwA52DvhxIr5kdU8ESSM8SL/9 XWRlbBvUaBs1x70JIxIN4jbkJwC86otHqIGTmPigK1tuHykHtfd+LkmLIJI79jIq zZq6pNkbq/iWXnaNKvzUikyazMd10NT394piIhHY/DH1Z2kp9CtD+lrmREtTK/Go gJ4Z0igAk0Y14GZYOYyuctZi74A62sS7M8BEnzCkVWYKaGiBaLHjSlHbTnULXkny aq/pbq5mBgvJmjqPMKNMntlH9zSUCWZpRsWZN4NFn1YGpD524xbX/o12La5Yznpe UKhR3xgpaJY= =+thG -----END PGP SIGNATURE-----