Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0942 ICMP PMTU messages are forwarded to the server side when the TCP proxy-mss setting is enabled in the associated profile 22 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: https://support.f5.com/csp/article/K52510343 - --------------------------BEGIN INCLUDED TEXT-------------------- K52510343:ICMP PMTU messages are forwarded to the server side when the TCP proxy-mss setting is enabled in the associated profile Security Advisory Original Publication Date: 22 Mar, 2019 Security Advisory Description This issue occurs when all of the following conditions are met: o Internet Control Message Protocol (ICMP) path maximum transmission unit (PMTU) messages are forwarded through the BIG-IP system running on the affected versions. o OneConnect or SNAT is configured and actively in use. This exposure varies, depending on the BIG-IP version. It is important to note that only 12.1.x and 13.0.x are vulnerable by default. The tm.tcp.enforcepathmtu system database key is added in 11.5.9, 11.6.4, 12.1.3.6, 13.0.1, and 13.1.0, which allows you to mitigate this issue. For more information, refer to the Workaround section. In 11.5.1 through 11.5.8, 11.6.1 through 11.6.3.4, and 12.0.0, the proxy-mss option is disabled by default in the TCP profile. These versions not vulnerable by default. If the proxy-mss option is enabled, the system is vulnerable. The proxy-mss option is enabled by default beginning in 12.1.0: o 12.1.0 through 12.1.3.5 and 13.0.0 are vulnerable if the proxy-mss option remains enabled. o In 12.1.3.6 and later within the 12.1.x branch, and 13.0.1, the tm.tcp.enforcepathmtu system database key is enabled by default to avoid a behavioral change. These versions are vulnerable by default. o In 13.1.0 and later, the tm.tcp.enforcepathmtu system database key is disabled by default. These versions are not vulnerable by default. If tm.tcp.enforcepathmtu is enabled, the system is vulnerable. Impact This issue potentially exposes the affected BIG-IP system to MTU cache poisoning. Symptoms As a result of this issue, you may encounter the following symptom: o Forwarding ICMP PMTU messages through the BIG-IP system can negatively impact performance if OneConnect or SNAT functionality is configured and active. Security Advisory Status F5 Product Development has assigned ID 643034 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table. +------------------+------------------+---------------------------------------+ |Type of fix |Fixes introduced |Related articles | | |in | | +------------------+------------------+---------------------------------------+ | |13.1.0 | | | |13.0.1^1 |K2200: Most recent versions of F5 | |Release |12.1.3.6^1 |software | | |11.6.4 | | | |11.5.9 | | +------------------+------------------+---------------------------------------+ |Point release/ |None |None | |hotfix | | | +------------------+------------------+---------------------------------------+ ^1These fixed versions have the tm.tcp.enforcepathmtu system database key enabled by default, and the BIG-IP system is exposed to this issue. You can work around this issue by performing the procedure to disable the affected database key in the Workaround section. Security Advisory Recommended Actions Workaround To work around this issue, you can perform the following procedures: Impact of workaround: Performing the following procedures should not have a negative impact on your system. o Disabling the tm.tcp.enforcepathmtu system database key on the versions that have the database key enabled by default. o Disabling the proxy-mss option in the associated profile for the TCP virtual server. Alternatively, you can disable MTU caching on the associated pool member's back-end server. To perform the correct procedure for your affected version, refer to the following table. +---------------------+-------------------------------------------------------+ |BIG-IP versions |Recommended procedure | +---------------------+-------------------------------------------------------+ | |Ensure the tm.tcp.enforcepathmtu system database key | |13.1.0 and later |has not been enabled. | | |If it is enabled, refer to Procedure 1. | +---------------------+-------------------------------------------------------+ |13.0.1 | | |12.1.3.6 and later |Disable the tm.tcp.enforcepathmtu system database key. | |within the 12.1.x |Refer to Procedure 1. | |branch | | +---------------------+-------------------------------------------------------+ |13.0.0 |Disable the proxy-mss option in the TCP profile. | |12.1.0 - 12.1.3.5 |Refer to Procedure 2. | +---------------------+-------------------------------------------------------+ | |If you have the associated profile customized with the | | |proxy-mss setting enabled, you can perform either | | |procedure: | |11.6.4 | | |11.5.9 | o Disable the proxy-mss option by referring to | | | Procedure 2. | | | o Disable the tm.tcp.enforcepathmtu system database | | | key by referring to Procedure 1. | +---------------------+-------------------------------------------------------+ |12.0.0 |If you have the associated profile customized with the | |11.6.1 - 11.6.3.4 |proxy-mss setting enabled, you can disable it. | |11.5.1 - 11.5.8 |Refer to procedure 2. | +---------------------+-------------------------------------------------------+ Procedure 1: Disabling the tm.tcp.enforcepathmtu system database key To disable the system database key, type the following tmsh command: modify /sys db tm.tcp.enforcepathmtu value "disable" Procedure 2: Disabling the proxy-mss option in the TCP profile To disable the proxy-mss option in the associated profile, use the following tmsh command syntax: modify /ltm profile <Profile-Type> <Profile-Name> proxy-mss disabled For example, to disable a TCP profile named example123, type the following command: modify /ltm profile tcp example123 proxy-mss disabled Supplemental Information o K51812227: Understanding Security Advisory versioning o K41942608: Overview of AskF5 Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 13.x) o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXJRLsGaOgq3Tt24GAQh4rBAAuJab561IHRzcKyoAohcPwd4jWS7Bzkzd r8v+L2ZRI8MbuxC+sYvh+GshnqebKwioIjvb/AIRM+ASjXoTKG1pOEdZ26fLYpmb +YXDeQeu3mTWz2goOgFHHWUOzIXOymd0bYQokUoChlryROziU0jFfNIg85o4vLHC WoBueRwAxYlRiKmBSIuNSRcQFpK+d26Tokw8FY5JZgDdWRS9cgqW03aObGfzQyMZ PTSADTX9U1oH4XkIwTDZoZ0MaWwGg1P/bXinyCwSJ5/IFMYGK0dvn9TGVl1JzbBS HPUjqfAnjuB8grtspP0qlfla4nhp3KUe/Zt4oPDyyVGH2kV9LrZKRt6lrY97FF11 1A8Ms99yfRbqxblOY3zb0LjbVgAhTGweYeKi4GZyLzWZRWfPBaP752DU8NXCdjqv oVia96TrjMCvOqoCtRcIUAEBCcMKbWR5scprWF2BWZo2G0oLDDGv9TKIxjupeJfH Z9ZuPi9sn1GfHj6SVXPBXzl+9YNiD7RjUFyCohaeOYTYYZcWtZY66C6O2BFIXkfr xq47fjOZZ4NP9ScGTfOh1rLxcZSFzkNOjyY2Z1UazASFjEqbKnLuStiDPpWGIBpE uL7b9OB5G6dlqagX9Ca8i0WGyn+cd1ua3P7VhIpMiwqoVLmDQ3trw8A5H6g/Cw8f lmY9Ar+/ZZg= =6W07 -----END PGP SIGNATURE-----