9.3 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.014 Low
EPSS
Percentile
85.0%
Description
SSH 1.2.25, 1.2.23, and other versions, when used in in CBC (Cipher Block Chaining) or CFB (Cipher Feedback 64 bits) modes, allows remote attackers to insert arbitrary data into an existing stream between an SSH client and server by using a known plaintext attack and computing a valid CRC-32 checksum for the packet, aka the “SSH insertion attack.” (CVE-1999-1085)
Impact
By default, F5 products are not affected by this vulnerability.
Status
To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:
Product | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature |
---|---|---|---|---|
BIG-IP LTM* | None | |||
11.0.0 - 11.6.0 | ||||
10.0.0 - 10.2.4 | ||||
Not vulnerable | None |
BIG-IP AAM*| None
| 11.4.0 - 11.6.0
| Not vulnerable| None
BIG-IP AFM*| None
| 11.3.0 - 11.6.0
| Not vulnerable| None
BIG-IP Analytics*| None
| 11.0.0 - 11.6.0
| Not vulnerable| None
BIG-IP APM*| None
| 11.0.0 - 11.6.0
10.1.0 - 10.2.4
| Not vulnerable| None
BIG-IP ASM*| None
| 11.0.0 - 11.6.0
10.0.0 - 10.2.4
| Not vulnerable| None
BIG-IP Edge Gateway*
| None
| 11.0.0 - 11.3.0
10.1.0 - 10.2.4
| Not vulnerable| None
BIG-IP GTM*| None
| 11.0.0 - 11.6.0
10.0.0 - 10.2.4
| Not vulnerable| None
BIG-IP Link Controller*| None
| 11.0.0 - 11.6.0
10.0.0 - 10.2.4
| Not vulnerable| None
BIG-IP PEM*| None
| 11.3.0 - 11.6.0
| Not vulnerable| None
BIG-IP PSM*| None
| 11.0.0 - 11.4.1
10.0.0 - 10.2.4
| Not vulnerable| None
BIG-IP WebAccelerator*| None
| 11.0.0 - 11.3.0
10.0.0 - 10.2.4
| Not vulnerable| None
BIG-IP WOM*| None
| 11.0.0 - 11.3.0
10.0.0 - 10.2.4
| Not vulnerable| None
ARX| None
| 6.0.0 - 6.4.0
| Not vulnerable| None
Enterprise Manager*| None
| 3.0.0 - 3.1.1
2.0.0 - 2.3.0
| Not vulnerable| None
FirePass| None
| 7.0.0
6.0.0 - 6.1.0
| Not vulnerable| None
BIG-IQ Cloud*| None
| 4.0.0 - 4.5.0
| Not vulnerable| None
BIG-IQ Device*| None
| 4.2.0 - 4.5.0
| Not vulnerable| None
BIG-IQ Security*| None
| 4.0.0 - 4.5.0
| Not vulnerable| None
BIG-IQ ADC*| None
| 4.5.0
| Not vulnerable| None
LineRate| None
| 2.5.0 - 2.6.0
| Not vulnerable| None
F5 WebSafe| None
| 1.0.0
| Not vulnerable| None
Traffix SDC| None
| 4.0.0 - 4.4.0
3.3.2 - 3.5.1
| Not vulnerable| None
*OpenSSH supports the use of the SSH1 protocol; however, it is not enabled in default configurations. SSH1 can only be enabled by manually editing the OpenSSH configuration file.
Note: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value.
Recommended Action
F5 recommends against manually enabling the SSH1 protocol on BIG-IP, BIG-IQ, or Enterprise Manager systems.
Supplemental Information