F5 Networks BIG-IP : OpenSSL vulnerability (K15325)

high Nessus Plugin ID 78174

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability.
(CVE-2014-0224)

Impact

An attacker may be able to decrypt and modify traffic between a client and a server. OpenSSL clients may be vulnerable to a man-in-the-middle (MITM) attack when connecting to a server running OpenSSL 1.0.1 or 1.0.2. For information about vulnerable components or features, refer to the following section.

Server-side impact for F5 products

The server-side components are vulnerable in the event that an attacker is able to launch an MITM attack between a client and an affected server component.

BIG-IP 11.5.0 through 11.5.1 contains the following vulnerable server-side code :

COMPAT SSL ciphers are vulnerable. Virtual servers using a Client SSL profile configured to use ciphers from the COMPAT SSL stack are vulnerable to this attack (the BIG-IP Client SSL profile enables the BIG-IP system to accept and terminate client requests that are sent using the SSL protocol; in this context, the BIG-IP functions as an SSL server, handling incoming SSL traffic). Note : NATIVE SSL ciphers on affected versions are not vulnerable. However, some vulnerability scanners may generate false positive reports when run against BIG-IP virtual servers that are configured to use ciphers supported by the NATIVE SSL stack. This includes all ciphers enabled by the default cipher string.

Note: On non-vulnerable versions, the third-party nmap script, ssl-ccs-injection.nse , may return a false positive vulnerable report if the Generic Alert option of the Client SSL profile is enabled (enabled by default). You can safely ignore this result and it does not indicate that the BIG-IP virtual server is vulnerable, but is an artifact of the basic check performed by the nmap script. F5 does not recommend disabling generic alerts because they provide a significant security advantage compared tothe potential small disadvantage of this false positive report.

The Configuration utility and other services, such as iControl, are vulnerable.

The big3d process included with BIG-IP GTM 11.5.0 and 11.5.1 is vulnerable. In addition, monitored BIG-IP systems whose big3d process was updated by an affected BIG-IP GTM system are also vulnerable.

Client-side impact for F5 products

Connections that a vulnerable F5 device initiates (as a client) are at risk in the event that an attacker gains access to the traffic between the F5 device and the server (for example, BIG-IP system and pool members), and the server with which the F5 device is communicating is running a vulnerable version of OpenSSL.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K15325.

See Also

https://support.f5.com/csp/article/K15325

Plugin Details

Severity: High

ID: 78174

File Name: f5_bigip_SOL15325.nasl

Version: 1.12

Type: local

Published: 10/10/2014

Updated: 3/10/2021

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.7

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_acceleration_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_global_traffic_manager, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/h:f5:big-ip

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/15/2015

Vulnerability Publication Date: 6/5/2014

Exploitable With

Core Impact

Reference Information

CVE: CVE-2014-0224

BID: 67899