TLS vulnerability CVE-2015-4000

2015-05-22T01:25:00
ID F5:K16674
Type f5
Reporter f5
Modified 2018-06-25T23:59:00

Description

F5 Product Development has assigned ID 524279 (BIG-IP), ID 525279 (BIG-IQ), and ID 525280 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. In addition, BIG-IP iHealth lists Heuristic H524636 on the Diagnostics > Identified > Medium page.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.

Product | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature
---|---|---|---|---
BIG-IP LTM | 11.0.0 - 11.6.3
10.1.0 - 10.2.4 | 12.0.0
11.6.3.2
11.5.4 HF4 | Medium | Configuration utility1
Client SSL profile with COMPAT, EXP, or EXPORT ciphers enabled
Server SSL profile or HTTPS health monitor using EXPORT or DHE cipher suites
SSL Forward Proxy using EXPORT or DHE cipher suites
BIG-IP AAM | 11.4.0 - 11.6.3 | 12.0.0
11.6.3.2
11.5.4 HF4 | Medium | Client SSL profile with COMPAT, EXP, or EXPORT ciphers enabled
Server SSL profile or HTTPS health monitor using EXPORT or DHE cipher suites
SSL Forward Proxy using EXPORT or DHE cipher suites
BIG-IP AFM | 11.3.0 - 11.6.3 | 12.0.0
11.6.3.2
11.5.4 HF4 | Medium | Client SSL profile with COMPAT, EXP, or EXPORT ciphers enabled
Server SSL profile or HTTPS health monitor using EXPORT or DHE cipher suites
SSL Forward Proxy using EXPORT or DHE cipher suites
BIG-IP Analytics | 11.0.0 - 11.6.3 | 12.0.0
11.6.3.2
11.5.4 HF4 | Medium | Client SSL profile with COMPAT, EXP, or EXPORT ciphers enabled
Server SSL profile or HTTPS health monitor using EXPORT or DHE cipher suites
SSL Forward Proxy using EXPORT or DHE cipher suites
BIG-IP APM | 11.0.0 - 11.6.3
10.1.0 - 10.2.4 | 12.0.0
11.6.3.2
11.5.4 HF4 | Medium | Configuration utility1
Client SSL profile with COMPAT, EXP, or EXPORT ciphers enabled
Server SSL profile or HTTPS health monitor using EXPORT or DHE cipher suites
SSL Forward Proxy using EXPORT or DHE cipher suites
BIG-IP ASM | 11.0.0 - 11.6.3
10.1.0 - 10.2.4 | 12.0.0
11.6.3.2
11.5.4 HF4 | Medium | Configuration utility1
Client SSL profile with COMPAT, EXP, or EXPORT ciphers enabled
Server SSL profile or HTTPS health monitor using EXPORT or DHE cipher suites
SSL Forward Proxy using EXPORT or DHE cipher suites
BIG-IP DNS | None | 12.0.0 | Not vulnerable | None
BIG-IP Edge Gateway | 11.0.0 - 11.3.0
10.1.0 - 10.2.4 | None | Medium | Configuration utility1
Client SSL profile with COMPAT, EXP, or EXPORT ciphers enabled
Server SSL profile or HTTPS health monitor using EXPORT or DHE cipher suites
SSL Forward Proxy using EXPORT or DHE cipher suites
BIG-IP GTM | 11.0.0 - 11.6.3
10.1.0 - 10.2.4 | 11.6.3.2
11.5.4 HF4 | Medium | Configuration utility1
Client SSL profile with COMPAT, EXP, or EXPORT ciphers enabled
Server SSL profile or HTTPS health monitor using EXPORT or DHE cipher suites
SSL Forward Proxy using EXPORT or DHE cipher suites
BIG-IP Link Controller | 11.0.0 - 11.6.3
10.1.0 - 10.2.4 | 12.0.0
11.6.3.2
11.5.4 HF4 | Medium | Configuration utility1
Client SSL profile with COMPAT, EXP, or EXPORT ciphers enabled
Server SSL profile or HTTPS health monitor using EXPORT or DHE cipher suites
SSL Forward Proxy using EXPORT or DHE cipher suites
BIG-IP PEM | 11.3.0 - 11.6.3 | 12.0.0
11.6.3.2
11.5.4 HF4 | Medium | Client SSL profile with COMPAT, EXP, or EXPORT ciphers enabled
Server SSL profile or HTTPS health monitor using EXPORT or DHE cipher suites
SSL Forward Proxy using EXPORT or DHE cipher suites
BIG-IP PSM | 11.0.0 - 11.4.1
10.1.0 - 10.2.4 | None | Medium | Configuration utility1
Client SSL profile with COMPAT, EXP, or EXPORT ciphers enabled
Server SSL profile or HTTPS health monitor using EXPORT or DHE cipher suites
SSL Forward Proxy using EXPORT or DHE cipher suites
BIG-IP WebAccelerator | 11.0.0 - 11.3.0
10.1.0 - 10.2.4 | None | Medium | Configuration utility1
Client SSL profile with COMPAT, EXP, or EXPORT ciphers enabled
Server SSL profile or HTTPS health monitor using EXPORT or DHE cipher suites
SSL Forward Proxy using EXPORT or DHE cipher suites
BIG-IP WOM | 11.0.0 - 11.3.0
10.1.0 - 10.2.4 | None | Medium | Configuration utility1
Client SSL profile with COMPAT, EXP, or EXPORT ciphers enabled
Server SSL profile or HTTPS health monitor using EXPORT or DHE cipher suites
SSL Forward Proxy using EXPORT or DHE cipher suites
ARX | 6.0.0 - 6.4.0 | None | Medium | ARX GUI
Enterprise Manager | 2.1.0 - 2.3.0 | 3.0.0 - 3.1.1 | Medium | Configuration utility
FirePass | None | 7.0.0
6.0.0 - 6.1.0 | Not vulnerable | None
BIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None
BIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None
BIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None
BIG-IQ ADC | None | 4.5.0 | Not vulnerable | None
LineRate | None | 2.4.0 - 2.6.0 | Not vulnerable | None
F5 WebSafe | None | 1.0.0 | Not vulnerable | None
Traffix SDC | 4.0.0 - 4.1.0
3.3.2 - 3.5.1 | None | Low | SDC configuration with EXPORT grade ciphers
BIG-IP Edge Clients for Android | None | 2.0.0 - 2.0.7 | Not vulnerable | None
BIG-IP Edge Clients for Apple iOS | None | 2.0.0 - 2.0.4
1.0.5 - 1.0.6 | Not vulnerable | None
BIG-IP Edge Clients for Linux | None | 6035.x - 7110.x | Not vulnerable | None
BIG-IP Edge Clients for MAC OS X | None | 6035.x - 7110.x | Not vulnerable | None
BIG-IP Edge Clients for Windows | None | 6035.x - 7110.x | Not vulnerable | None
BIG-IP Edge Clients Windows Phone 8.1 | None | 1.0.0 - 1.1.0 | Not vulnerable | None
BIG-IP Edge Portal for Android | None | 1.0.0 - 1.0.2 | Not vulnerable | None
BIG-IP Edge Portal for Apple iOS | None | 1.0.0 - 1.0.3 | Not vulnerable | None

1 The Configuration utility is vulnerable in BIG-IP 10.1.0 through 10.2.4 only.

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

BIG-IP

11.x

Client SSL profiles are not vulnerable in a default configuration. If you have configured custom Client SSL profiles, you can mitigate this vulnerability by configuring your Client SSL profile to exclude COMPAT, EXP, and EXPORT ciphers. To do so, refer to K13171: Configuring the cipher strength for SSL profiles (11.x).

BIG-IP systems configured with Server SSL profiles or HTTPS health monitors are vulnerable as a client, when using EXPORT or DHE cipher suites, when the backend server supports EXPORT ciphers. To mitigate this issue, disable the use of EXPORT and DHE cipher suites. Adding !EXPORT, !COMPAT, and !DHE to the cipher string that is in use will do this, however, if a custom cipher string is in use, it must disable the use of both export and non-export grade DHE to mitigate this issue.

BIG-IP systems configured for SSL Forward Proxy are vulnerable as a client, when using EXPORT or DHE cipher suites, when the backend server supports EXPORT ciphers. To mitigate this issue, disable the use of EXPORT and DHE cipher suites. Adding !EXPORT, !COMPAT, and !DHE to the cipher string that is in use will do this, however, if a custom cipher string is in use, it must disable the use of both export and non-export grade DHE to mitigate this issue.

10.x

Client SSL profiles are not vulnerable in a default configuration. If you have configured custom Client SSL profiles, you can mitigate this vulnerability by configuring your Client SSL profile to exclude COMPAT, EXP, and EXPORT ciphers. To do so, refer to K7815: Configuring the cipher strength for SSL profiles (9.x - 10.x).

BIG-IP systems configured with Server SSL profiles or HTTPS health monitors are vulnerable as a client, when using EXPORT or DHE cipher suites, when the backend server supports EXPORT ciphers. To mitigate this issue, disable the use of EXPORT and DHE cipher suites. Adding !EXPORT, !COMPAT, and !DHE to the cipher string that is in use will do this, however, if a custom cipher string is in use, it must disable the use of both export and non-export grade DHE to mitigate this issue.

To mitigate this vulnerability in the BIG-IP Configuration utility, you can modify the Apache server configuration to exclude EXP and EXPORT ciphers. For example, the default SSL cipher string in your configuration may appear similar to the following example:

ALL:!ADH:!EXPORT56:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

You can mitigate this vulnerability by excluding the EXPORT and EXP ciphers by using a string similar to the following example:

ALL:!ADH:!EXPORT:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2

For more information about restricting ciphers for Configuration utility access, refer to K6768: Restricting Configuration utility access to clients using high encryption SSL ciphers (9.x - 10.x).

Enterprise Manager

To mitigate this vulnerability in the Enterprise Manager Configuration utility, you can modify the Apache server configuration to exclude EXP and EXPORT ciphers. For example, the default SSL cipher string in your configuration may appear similar to the following example:

ALL:!ADH:!EXPORT56:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

You can mitigate this vulnerability by excluding the EXPORT and EXP ciphers by using a string similar to the following example:

ALL:!ADH:!EXPORT:!EXP:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2

For more information about restricting ciphers for Configuration utility access, refer to K6768: Restricting Configuration utility access to clients using high encryption SSL ciphers (9.x - 10.x).

ARX

To mitigate this vulnerability, you can disable EXPORT grade SSL ciphers, such as SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA and SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, in the ARX GUI.

Traffix SDC

Traffix SDC configurations are not vulnerable with default cipher settings. To mitigate this vulnerability, do not configure EXPORT grade ciphers in the SDC configuration.