TMM SSL/TLS virtual server vulnerability CVE-2016-6907

2016-09-28T00:47:00
ID F5:K39508724
Type f5
Reporter f5
Modified 2017-04-07T00:35:00

Description

F5 Product Development has assigned ID 580596 (BIG-IP) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H617657 on the Diagnostics > Identified > High screen.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature
---|---|---|---|---
BIG-IP LTM| 12.1.0 HF1
12.1.0
12.0.0 HF1 - 12.0.0 HF3
11.6.1 - 12.0.0
11.6.0 HF1 - 11.6.0 HF7
11.6.0
11.5.4 HF1
11.5.2 - 11.5.4
11.5.1 HF6 - 11.5.1 HF10
11.5.0 HF6 - 11.5.0 HF7
11.4.1 HF6 - 11.4.1 HF10
11.4.0 HF9 - 11.4.0 HF10
11.2.1 HF13 - 11.2.1 HF15
10.2.4 HF10 - 10.2.4 HF13| 12.1.1
12.1.0 HF2
12.0.0 HF4
11.6.1 HF1
11.6.0 HF8
11.5.4 HF2
11.5.1 HF11
11.4.1 HF11
11.2.1 HF16| High| TMM SSL/TLS

BIG-IP AAM| 12.1.0 HF1
12.1.0
12.0.0 HF1 - 12.0.0 HF3
11.6.1 - 12.0.0
11.6.0 HF1 - 11.6.0 HF7
11.6.0
11.5.4 HF1
11.5.2 - 11.5.4
11.5.1 HF6 - 11.5.1 HF10
11.5.0 HF6 - 11.5.0 HF7
11.4.1 HF6 - 11.4.1 HF10
11.4.0 HF9 - 11.4.0 HF10| 12.1.1
12.1.0 HF2
12.0.0 HF4
11.6.1 HF1
11.6.0 HF8
11.5.4 HF2
11.5.1 HF11
11.4.1 HF11| High| TMM SSL/TLS
BIG-IP AFM| 12.1.0 HF1
12.1.0
12.0.0 HF1 - 12.0.0 HF3
11.6.1 - 12.0.0
11.6.0 HF1 - 11.6.0 HF7
11.6.0
11.5.4 HF1
11.5.2 - 11.5.4
11.5.1 HF6 - 11.5.1 HF10
11.5.0 HF6 - 11.5.0 HF7
11.4.1 HF6 - 11.4.1 HF10
11.4.0 HF9 - 11.4.0 HF10
| 12.1.1
12.1.0 HF2
12.0.0 HF4
11.6.1 HF1
11.6.0 HF8
11.5.4 HF2
11.5.1 HF11
11.4.1 HF11| High| TMM SSL/TLS
BIG-IP Analytics| 12.1.0 HF1
12.1.0
12.0.0 HF1 - 12.0.0 HF3
11.6.1 - 12.0.0
11.6.0 HF1 - 11.6.0 HF7
11.6.0
11.5.4 HF1
11.5.2 - 11.5.4
11.5.1 HF6 - 11.5.1 HF10
11.5.0 HF6 - 11.5.0 HF7
11.4.1 HF6 - 11.4.1 HF10
11.4.0 HF9 - 11.4.0 HF10
11.2.1 HF13 - 11.2.1 HF15| 12.1.1
12.1.0 HF2
12.0.0 HF4
11.6.1 HF1
11.6.0 HF8
11.5.4 HF2
11.5.1 HF11
11.4.1 HF11
11.2.1 HF16| High| TMM SSL/TLS
BIG-IP APM| 12.1.0 HF1
12.1.0
12.0.0 HF1 - 12.0.0 HF3
11.6.1 - 12.0.0
11.6.0 HF1 - 11.6.0 HF7
11.6.0
11.5.4 HF1
11.5.2 - 11.5.4
11.5.1 HF6 - 11.5.1 HF10
11.5.0 HF6 - 11.5.0 HF7
11.4.1 HF6 - 11.4.1 HF10
11.4.0 HF9 - 11.4.0 HF10
11.2.1 HF13 - 11.2.1 HF15
10.2.4 HF10 - 10.2.4 HF13| 12.1.1
12.1.0 HF2
12.0.0 HF4
11.6.1 HF1
11.6.0 HF8
11.5.4 HF2
11.5.1 HF11
11.4.1 HF11
11.2.1 HF16| High| TMM SSL/TLS
BIG-IP ASM| 12.1.0 HF1
12.1.0
12.0.0 HF1 - 12.0.0 HF3
11.6.1 - 12.0.0
11.6.0 HF1 - 11.6.0 HF7
11.6.0
11.5.4 HF1
11.5.2 - 11.5.4
11.5.1 HF6 - 11.5.1 HF10
11.5.0 HF6 - 11.5.0 HF7
11.4.1 HF6 - 11.4.1 HF10
11.4.0 HF9 - 11.4.0 HF10
11.2.1 HF13 - 11.2.1 HF15
10.2.4 HF10 - 10.2.4 HF13| 12.1.1
12.1.0 HF2
12.0.0 HF4
11.6.1 HF1
11.6.0 HF8
11.5.4 HF2
11.5.1 HF11
11.4.1 HF11
11.2.1 HF16| High| TMM SSL/TLS
BIG-IP DNS| 12.1.0 HF1
12.1.0
12.0.0 HF1 - 12.0.0 HF3
12.0.0| 12.1.1
12.1.0 HF2
12.0.0 HF4
| High| TMM SSL/TLS
BIG-IP Edge Gateway| 11.2.1 HF13 - 11.2.1 HF15
10.2.4 HF10 - 10.2.4 HF13| 11.2.1 HF16| High| TMM SSL/TLS
BIG-IP GTM| 11.6.1
11.6.0 HF1 - 11.6.0 HF7
11.6.0
11.5.4 HF1
11.5.2 - 11.5.4
11.5.1 HF6 - 11.5.1 HF10
11.5.0 HF6 - 11.5.0 HF7
11.4.1 HF6 - 11.4.1 HF10
11.4.0 HF9 - 11.4.0 HF10
11.2.1 HF13 - 11.2.1 HF15
10.2.4 HF10 - 10.2.4 HF13| 11.6.1 HF1
11.6.0 HF8
11.5.4 HF2
11.5.1 HF11
11.4.1 HF11
11.2.1 HF16| High| TMM SSL/TLS
BIG-IP Link Controller| 12.1.0 HF1
12.1.0
12.0.0 HF1 - 12.0.0 HF3
11.6.1 - 12.0.0
11.6.0 HF1 - 11.6.0 HF7
11.6.0
11.5.4 HF1
11.5.2 - 11.5.4
11.5.1 HF6 - 11.5.1 HF10
11.5.0 HF6 - 11.5.0 HF7
11.4.1 HF6 - 11.4.1 HF10
11.4.0 HF9 - 11.4.0 HF10
11.2.1 HF13 - 11.2.1 HF15
10.2.4 HF10 - 10.2.4 HF13| 12.1.1
12.1.0 HF2
12.0.0 HF4
11.6.1 HF1
11.6.0 HF8
11.5.4 HF2
11.5.1 HF11
11.4.1 HF11
11.2.1 HF16| High| TMM SSL/TLS
BIG-IP PEM| 12.1.0 HF1
12.1.0
12.0.0 HF1 - 12.0.0 HF3
11.6.1 - 12.0.0
11.6.0 HF1 - 11.6.0 HF7
11.6.0
11.5.4 HF1
11.5.2 - 11.5.4
11.5.1 HF6 - 11.5.1 HF10
11.5.0 HF6 - 11.5.0 HF7
11.4.1 HF6 - 11.4.1 HF10
11.4.0 HF9 - 11.4.0 HF10| 12.1.1
12.1.0 HF2
12.0.0 HF4
11.6.1 HF1
11.6.0 HF8
11.5.4 HF2
11.5.1 HF11
11.4.1 HF11
11.2.1 HF16| High| TMM SSL/TLS
BIG-IP PSM| 11.4.1 HF6 - 11.4.1 HF10
11.4.0 HF9 - 11.4.0 HF10
11.2.1 HF13 - 11.2.1 HF15
10.2.4 HF10 - 10.2.4 HF13| 11.4.1 HF11
11.2.1 HF16| High| TMM SSL/TLS
BIG-IP WebAccelerator| 11.2.1 HF13 - 11.2.1 HF15
10.2.4 HF10 - 10.2.4 HF13| 11.2.1 HF16| High| TMM SSL/TLS
BIG-IP WOM| 11.2.1 HF13 - 11.2.1 HF15
10.2.4 HF10 - 10.2.4 HF13
| 11.2.1 HF16| High| TMM SSL/TLS
BIG-IP WebSafe| None| 12.0.0 - 12.1.1
11.6.0 - 11.6.1| Not vulnerable

| None
ARX| None| 6.2.0 - 6.4.0| Not vulnerable| None
Enterprise Manager| None| 3.1.1| Not vulnerable| None
FirePass| None| 7.0.0| Not vulnerable| None
BIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None
BIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None
BIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None
BIG-IQ ADC| None| 4.5.0| Not vulnerable| None
BIG-IQ Centralized Management| None| 5.0.0
4.6.0| Not vulnerable| None
BIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None
F5 iWorkflow| None| 2.0.0| Not vulnerable| None
LineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None
Traffix SDC| None| 5.0.0
4.0.0 - 4.4.0| Not vulnerable| None

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

Mitigation

For full mitigation, use only non-CBC ciphers, specifically AES-GCM or RC4. Note that RC4 is also vulnerable to many security issues. Therefore, to minimize the risk, use AES-GCM ciphers over other ciphers so that supporting clients do not use CBC ciphers.

To mitigate the potential exploitation for Secure Sockets Layer (SSL) and TLS virtual servers, you can configure the SSL profile to prefer non-CBC ciphers. To do so, perform the following procedure:

Impact of action: Changing the ciphers supported by the SSL profile may prevent some clients from establishing an SSL connection.

  1. Log in to the Configuration utility.
  2. Navigate to Local Traffic > Profiles.
  3. In the SSL list, select Client.
  4. Click Create.
  5. Type a name for the SSL profile.
  6. In the Parent Profile list, select clientssl.
  7. In the Configuration list, select Advanced.
  8. Click the Custom box for Ciphers.
  9. From the Ciphers box, delete the DEFAULT cipher string.
  10. In the Ciphers box, enter the desired cipher string.

For BIG-IP 11.5.0 and later, configure the cipher string to prefer non-CBC ciphers. For example, the following string configures the SSL profile to prefer AES-GCM ciphers first, then RC4-SHA ciphers, before resorting to the DEFAULT string, which contains CBC ciphers:

AES-GCM:RC4-SHA:DEFAULT

For BIG-IP 11.4.0 and earlier, the following cipher string configures the SSL profile to prefer RC4-SHA before resorting to the DEFAULT string, which contains CBC ciphers:

RC4-SHA:DEFAULT

  1. Click Finished.

You must now associate the SSL profile with the virtual server.

Note: This link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.