SOL10674 - Netscape reuse cipher change bug - Qualsys QID 38284

2009-10-27T00:00:00
ID SOL10674
Type f5
Reporter f5
Modified 2016-07-25T00:00:00

Description

A Qualsys security audit may report that the BIG-IP management IP address is vulnerable to a NETSCAPE REUSE CIPHER CHANGE BUG. The security audit may produce a report that appears similar to the following example:

QID: 38284 CVSS Base: 5 [1]
Category: General remote services CVSS Temporal: 4.7
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Modified: 05/05/2009
Edited: No

THREAT: Netscape's SSLv3 implementation had a bug where if a SSLv3 connection is initially established, the first available cipher is used. If a session is resumed, a different cipher may be chosen if it appears in the passed cipher list before the session's current cipher. This bug can be used to change ciphers on the server. OpenSSL contains this bug if the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is enabled during runtime. This option was introduced for compatibility reasons. The problem arises when different applications using OpenSSL's libssl library enable all compatibility options including SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, thus enabling the bug.

IMPACT:
A malicious legitimate client can enforce a ciphersuite not supported by the server to be used for a session between the client and the server. This can result in disclosure of sensitive information.

F5 recommends managing the device from a secure management network using the management port.

Information about this advisory is available at the following locations:

<http://bugs.contribs.org/show_bug.cgi?id=195>

<https://bugzilla.redhat.com/show_bug.cgi?id=175779>

Note: The previous links take you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.

F5 Product Development tracked this issue as CR119114 and it was fixed in BIG-IP 9.4.8. For information about upgrading, refer to the BIG-IP LTM, ASM, GTM, PSM, Link Controller, WebAccelerator, or WOM release notes.

F5 Product Development tracked this issue as CR123875 and it was fixed in BIG-IP 10.1.0. For information about upgrading, refer to the BIG-IP LTM, ASM, GTM, PSM, Link Controller, WebAccelerator, or WOM release notes.

F5 Product Development tracked this issue as CR123875 and it was fixed in Enterprise Manager 2.0.0. For information about upgrading, refer to the Enterprise Manager release notes.

F5 Product Development tracked this issue as CR65058 and CR68757 and it was fixed in FirePass 5.5.2 and 6.0.1. For information about upgrading, refer to the FirePass release notes.