A BIG-IP virtual server configured with a Client SSL profile may be vulnerable to a chosen ciphertext attack against CBC ciphers. When exploited, this may result in plaintext recovery of encrypted messages through a man-in-the-middle (MITM) attack, despite the attacker not having gained access to the server’s private key itself. (CVE-2019-6593 also known as Zombie POODLE and GOLDENDOODLE)
Impact
Exploiting this vulnerability to perform plaintext recovery of encrypted data may reveal session authentication cookies similar to CVE-2014-3566 (POODLE). Only TLS sessions established using CBC mode encryption are vulnerable to this attack.
To exploit this vulnerability, the attacker must have a privileged network position to intercept controlled HTTPS requests, which are generally initiated via JavaScript originating in any browser context.