7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.5 High
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.974 High
EPSS
Percentile
99.9%
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the “CCS Injection” vulnerability. (CVE-2014-0224)
Impact
An attacker may be able to decrypt and modify traffic between a client and a server. OpenSSL clients may be vulnerable to a man-in-the-middle (MITM) attack when connecting to a server running OpenSSL 1.0.1 or 1.0.2. For information about vulnerable components or features, refer to the following section.
Server-side impact for F5 products
The server-side components are vulnerable in the event that an attacker is able to launch an MITM attack between a client and an affected server component.
BIG-IP 11.5.0 through 11.5.1 contains the following vulnerable server-side code:
Note: NATIVE SSL ciphers on affected versions are not vulnerable. However, some vulnerability scanners may generate false positive reports when run against BIG-IP virtual servers that are configured to use ciphers supported by the NATIVE SSL stack. This includes all ciphers enabled by the default cipher string.
Note: On non-vulnerable versions, the third partynmapscript,ssl-ccs-injection.nse, may return a false positive vulnerable report if theGeneric Alertoption of the Client SSL profile is enabled (enabled by default). You can safely ignore this result and it does not indicate that the BIG-IP virtual server is vulnerable, but is an artifact of the basic check performed by thenmap script. F5 does not recommend disabling generic alerts because they provide a significant security advantage compared to the potential small disadvantage of this false positive report.
Client-side impact for F5 products
Connections that a vulnerable F5 device initiates (as a client) are at risk in the event that an attacker gains access to the traffic between the F5 device and the server (for example, BIG-IP system and pool members), and the server with which the F5 device is communicating is running a vulnerable version of OpenSSL.
CPE | Name | Operator | Version |
---|---|---|---|
big-ip afm | eq | 11.3.0 | |
big-ip afm | eq | 11.4.0 | |
big-ip afm | eq | 11.4.1 | |
big-ip afm | eq | 11.5.0 | |
big-ip afm | eq | 11.5.1 | |
big-ip afm | eq | 11.5.2 | |
big-ip afm | eq | 11.5.3 | |
big-ip afm | eq | 11.6.0 | |
big-ip afm | eq | 12.0.0 | |
big-ip analytics | eq | 11.0.0 |
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.5 High
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.974 High
EPSS
Percentile
99.9%