K16840 : SSH vulnerability CVE-1999-1085

Security Advisory Description

Description

SSH 1.2.25, 1.2.23, and other versions, when used in in CBC (Cipher Block Chaining) or CFB (Cipher Feedback 64 bits) modes, allows remote attackers to insert arbitrary data into an existing stream between an SSH client and server by using a known plaintext attack and computing a valid CRC-32 checksum for the packet, aka the “SSH insertion attack.” (CVE-1999-1085)

Impact

By default, F5 products are not affected by this vulnerability.

Status

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product	Versions known to be vulnerable	Versions known to be not vulnerable	Severity	Vulnerable component or feature
BIG-IP LTM*	None
11.0.0 - 11.6.0
10.0.0 - 10.2.4
Not vulnerable	None

BIG-IP AAM*| None
| 11.4.0 - 11.6.0
| Not vulnerable| None

BIG-IP AFM*| None
| 11.3.0 - 11.6.0
| Not vulnerable| None

BIG-IP Analytics*| None
| 11.0.0 - 11.6.0
| Not vulnerable| None

BIG-IP APM*| None
| 11.0.0 - 11.6.0
10.1.0 - 10.2.4
| Not vulnerable| None

BIG-IP ASM*| None
| 11.0.0 - 11.6.0
10.0.0 - 10.2.4
| Not vulnerable| None

BIG-IP Edge Gateway*
| None
| 11.0.0 - 11.3.0
10.1.0 - 10.2.4
| Not vulnerable| None

BIG-IP GTM*| None
| 11.0.0 - 11.6.0
10.0.0 - 10.2.4
| Not vulnerable| None

BIG-IP Link Controller*| None
| 11.0.0 - 11.6.0
10.0.0 - 10.2.4
| Not vulnerable| None

BIG-IP PEM*| None
| 11.3.0 - 11.6.0
| Not vulnerable| None

BIG-IP PSM*| None
| 11.0.0 - 11.4.1
10.0.0 - 10.2.4
| Not vulnerable| None

BIG-IP WebAccelerator*| None
| 11.0.0 - 11.3.0
10.0.0 - 10.2.4
| Not vulnerable| None

BIG-IP WOM*| None
| 11.0.0 - 11.3.0
10.0.0 - 10.2.4
| Not vulnerable| None

ARX| None
| 6.0.0 - 6.4.0
| Not vulnerable| None

Enterprise Manager*| None
| 3.0.0 - 3.1.1
2.0.0 - 2.3.0
| Not vulnerable| None

FirePass| None
| 7.0.0
6.0.0 - 6.1.0
| Not vulnerable| None

BIG-IQ Cloud*| None
| 4.0.0 - 4.5.0
| Not vulnerable| None

BIG-IQ Device*| None
| 4.2.0 - 4.5.0
| Not vulnerable| None

BIG-IQ Security*| None
| 4.0.0 - 4.5.0
| Not vulnerable| None

BIG-IQ ADC*| None
| 4.5.0
| Not vulnerable| None

LineRate| None
| 2.5.0 - 2.6.0
| Not vulnerable| None

F5 WebSafe| None
| 1.0.0
| Not vulnerable| None

Traffix SDC| None
| 4.0.0 - 4.4.0
3.3.2 - 3.5.1
| Not vulnerable| None

*OpenSSH supports the use of the SSH1 protocol; however, it is not enabled in default configurations. SSH1 can only be enabled by manually editing the OpenSSH configuration file.

Note: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value.

Recommended Action

F5 recommends against manually enabling the SSH1 protocol on BIG-IP, BIG-IQ, or Enterprise Manager systems.

Supplemental Information

• K9970: Subscribing to email notifications regarding F5 products
• K9957: Creating a custom RSS feed to view new and updated documents
• K4602: Overview of the F5 security vulnerability response policy
• K4918: Overview of the F5 critical issue hotfix policy
• K167: Downloading software and firmware from F5
• K10942: Installing OPSWAT hotfixes on BIG-IP APM systems