Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

               NGINX Controller vulnerability CVE-2020-5864
                               23 April 2020


        AusCERT Security Bulletin Summary

Product:           NGINX Controller
                   NGINX Plus
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Provide Misleading Information -- Remote with User Interaction
                   Access Confidential Data       -- Remote with User Interaction
                   Reduced Security               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-5864  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

K27205552:NGINX Controller vulnerability CVE-2020-5864 

Security Advisory

Original Publication Date: 23 Apr, 2020

Security Advisory Description

Communication between NGINX Controller and NGINX Plus instances skip TLS
verification by default. (CVE-2020-5864)


This vulnerability enables a man-in-the-middle (MITM) attack that can intercept
the communication channel and read/modify data in transit.

Security Advisory Status

F5 Product Development has assigned IND-5899 (NGINX) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
|                   |15.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |None      |Not       |          |      |          |
|BIG-IP (LTM, AAM,  |      |          |applicable|          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|APM, ASM, DNS, FPS,|13.x  |None      |Not       |Not       |None  |None      |
|GTM, Link          |      |          |applicable|Vulnerable|      |          |
|Controller, PEM)   +------+----------+----------+          |      |          |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
|                   |3.x   |3.0.0 -   |3.2.0     |          |      |          |
|                   |      |3.1.0     |          |          |      |          |
|                   +------+----------+----------+          |      |NGINX     |
|NGINX Controller   |2.x   |2.0.0 -   |None      |High      |7.4   |Controller|
|                   |      |2.9.0     |          |          |      |Agent     |
|                   +------+----------+----------+          |      |          |
|                   |1.x   |1.0.1     |None      |          |      |          |

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.


Ensure your NGINX Controller and NGINX Agent endpoints are running on secure
and trusted networks that are not susceptible to MITM attacks.

Upgrading NGNIX Controller and Controller Agent

If you are considering upgrading to a non-vulnerable version, take note of the
following important upgrade information:

If no certificate is provided, the NGINX Controller installer generates a
self-signed certificate for the Controller, and the CA certificate used to sign
the key is discarded after the installation is complete. As a result, there is
no option to verify the self-signed certificate on the data plane instances,
and the communication between the NGINX Controller and data plane instances
will skip TLS verification by default.

This is not recommended for production environments and should only be used in
non-production test environments.

Note: While this vulnerability is fixed in 3.2.0, you should upgrade NGINX
Controller to 3.3.0 or later. Upgrading to 3.2.0 requires further manual
configuration changes.  

Impact of procedure: You should perform this procedure during a planned
production outage.

First, update the NGINX Controller to 3.3.0 or later on the NGINX Controller

For instructions, refer to the Updating the NGINX Controller section of the
NGINX Controller Installation Guide v3

Second, uninstall and re-install the NGINX Controller Agents by performing the
following procedure:

 1. Create a backup of your Controller Agent configuration file by entering the
    following command:

    cp /etc/controller-agent/agent.conf /etc/controller-agent/agent.conf.backup

 2. Uninstall the Controller Agent by following the instructions in the NGINX
    Controller Agent Installation Guide, which is available on your NGINX
    Controller host:  


    Note: Deleting the NGINX Instance on the NGINX Controller is not required
    or recommended.

 3. Install the new Controller Agent on the NGINX Plus instance by following
    the instructions in the NGINX Controller Agent Installation Guide, which is
    available in the onboard documentation:


 4. Restore previous Controller Agent configurations as needed.

    Note: Do not restore the existing Controller Agent configuration in the
    [cloud] section of the backup agent.conf file you created; doing so will
    overwrite the TLS configurations required for secure communication with
    NGINX Controller.

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967