Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.0942
ICMP PMTU messages are forwarded to the server side when the TCP proxy-mss
setting is enabled in the associated profile
22 March 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 BIG-IP products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
https://support.f5.com/csp/article/K52510343
- --------------------------BEGIN INCLUDED TEXT--------------------
K52510343:ICMP PMTU messages are forwarded to the server side when the TCP proxy-mss setting is enabled in the associated profile
Security Advisory
Original Publication Date: 22 Mar, 2019
Security Advisory Description
This issue occurs when all of the following conditions are met:
o Internet Control Message Protocol (ICMP) path maximum transmission unit
(PMTU) messages are forwarded through the BIG-IP system running on the
affected versions.
o OneConnect or SNAT is configured and actively in use.
This exposure varies, depending on the BIG-IP version. It is important to note
that only 12.1.x and 13.0.x are vulnerable by default. The
tm.tcp.enforcepathmtu system database key is added in 11.5.9, 11.6.4, 12.1.3.6,
13.0.1, and 13.1.0, which allows you to mitigate this issue. For more
information, refer to the Workaround section.
In 11.5.1 through 11.5.8, 11.6.1 through 11.6.3.4, and 12.0.0, the proxy-mss
option is disabled by default in the TCP profile. These versions not vulnerable
by default. If the proxy-mss option is enabled, the system is vulnerable.
The proxy-mss option is enabled by default beginning in 12.1.0:
o 12.1.0 through 12.1.3.5 and 13.0.0 are vulnerable if the proxy-mss option
remains enabled.
o In 12.1.3.6 and later within the 12.1.x branch, and 13.0.1, the
tm.tcp.enforcepathmtu system database key is enabled by default to avoid a
behavioral change. These versions are vulnerable by default.
o In 13.1.0 and later, the tm.tcp.enforcepathmtu system database key is
disabled by default. These versions are not vulnerable by default. If
tm.tcp.enforcepathmtu is enabled, the system is vulnerable.
Impact
This issue potentially exposes the affected BIG-IP system to MTU cache
poisoning.
Symptoms
As a result of this issue, you may encounter the following symptom:
o Forwarding ICMP PMTU messages through the BIG-IP system can negatively
impact performance if OneConnect or SNAT functionality is configured and
active.
Security Advisory Status
F5 Product Development has assigned ID 643034 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.
+------------------+------------------+---------------------------------------+
|Type of fix |Fixes introduced |Related articles |
| |in | |
+------------------+------------------+---------------------------------------+
| |13.1.0 | |
| |13.0.1^1 |K2200: Most recent versions of F5 |
|Release |12.1.3.6^1 |software |
| |11.6.4 | |
| |11.5.9 | |
+------------------+------------------+---------------------------------------+
|Point release/ |None |None |
|hotfix | | |
+------------------+------------------+---------------------------------------+
^1These fixed versions have the tm.tcp.enforcepathmtu system database key
enabled by default, and the BIG-IP system is exposed to this issue. You can
work around this issue by performing the procedure to disable the affected
database key in the Workaround section.
Security Advisory Recommended Actions
Workaround
To work around this issue, you can perform the following procedures:
Impact of workaround: Performing the following procedures should not have a
negative impact on your system.
o Disabling the tm.tcp.enforcepathmtu system database key on the versions
that have the database key enabled by default.
o Disabling the proxy-mss option in the associated profile for the
TCP virtual server. Alternatively, you can disable MTU caching on the
associated pool member's back-end server.
To perform the correct procedure for your affected version, refer to the
following table.
+---------------------+-------------------------------------------------------+
|BIG-IP versions |Recommended procedure |
+---------------------+-------------------------------------------------------+
| |Ensure the tm.tcp.enforcepathmtu system database key |
|13.1.0 and later |has not been enabled. |
| |If it is enabled, refer to Procedure 1. |
+---------------------+-------------------------------------------------------+
|13.0.1 | |
|12.1.3.6 and later |Disable the tm.tcp.enforcepathmtu system database key. |
|within the 12.1.x |Refer to Procedure 1. |
|branch | |
+---------------------+-------------------------------------------------------+
|13.0.0 |Disable the proxy-mss option in the TCP profile. |
|12.1.0 - 12.1.3.5 |Refer to Procedure 2. |
+---------------------+-------------------------------------------------------+
| |If you have the associated profile customized with the |
| |proxy-mss setting enabled, you can perform either |
| |procedure: |
|11.6.4 | |
|11.5.9 | o Disable the proxy-mss option by referring to |
| | Procedure 2. |
| | o Disable the tm.tcp.enforcepathmtu system database |
| | key by referring to Procedure 1. |
+---------------------+-------------------------------------------------------+
|12.0.0 |If you have the associated profile customized with the |
|11.6.1 - 11.6.3.4 |proxy-mss setting enabled, you can disable it. |
|11.5.1 - 11.5.8 |Refer to procedure 2. |
+---------------------+-------------------------------------------------------+
Procedure 1: Disabling the tm.tcp.enforcepathmtu system database key
To disable the system database key, type the following tmsh command:
modify /sys db tm.tcp.enforcepathmtu value "disable"
Procedure 2: Disabling the proxy-mss option in the TCP profile
To disable the proxy-mss option in the associated profile, use the following
tmsh command syntax:
modify /ltm profile <Profile-Type> <Profile-Name> proxy-mss disabled
For example, to disable a TCP profile named example123, type the following
command:
modify /ltm profile tcp example123 proxy-mss disabled
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of AskF5 Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 13.x)
o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
systems (11.4.x and later)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXJRLsGaOgq3Tt24GAQh4rBAAuJab561IHRzcKyoAohcPwd4jWS7Bzkzd
r8v+L2ZRI8MbuxC+sYvh+GshnqebKwioIjvb/AIRM+ASjXoTKG1pOEdZ26fLYpmb
+YXDeQeu3mTWz2goOgFHHWUOzIXOymd0bYQokUoChlryROziU0jFfNIg85o4vLHC
WoBueRwAxYlRiKmBSIuNSRcQFpK+d26Tokw8FY5JZgDdWRS9cgqW03aObGfzQyMZ
PTSADTX9U1oH4XkIwTDZoZ0MaWwGg1P/bXinyCwSJ5/IFMYGK0dvn9TGVl1JzbBS
HPUjqfAnjuB8grtspP0qlfla4nhp3KUe/Zt4oPDyyVGH2kV9LrZKRt6lrY97FF11
1A8Ms99yfRbqxblOY3zb0LjbVgAhTGweYeKi4GZyLzWZRWfPBaP752DU8NXCdjqv
oVia96TrjMCvOqoCtRcIUAEBCcMKbWR5scprWF2BWZo2G0oLDDGv9TKIxjupeJfH
Z9ZuPi9sn1GfHj6SVXPBXzl+9YNiD7RjUFyCohaeOYTYYZcWtZY66C6O2BFIXkfr
xq47fjOZZ4NP9ScGTfOh1rLxcZSFzkNOjyY2Z1UazASFjEqbKnLuStiDPpWGIBpE
uL7b9OB5G6dlqagX9Ca8i0WGyn+cd1ua3P7VhIpMiwqoVLmDQ3trw8A5H6g/Cw8f
lmY9Ar+/ZZg=
=6W07
-----END PGP SIGNATURE-----