Lucene search

K
f5F5SOL10737
HistoryNov 05, 2009 - 12:00 a.m.

SOL10737 - SSL Renegotiation vulnerability - CVE-2009-3555 / VU#120541

2009-11-0500:00:00
support.f5.com
427

0.003 Low

EPSS

Percentile

69.4%

A Man in the Middle attack allows an attacker to inject an arbitrary amount of chosen plain text into the application protocol stream data during a secure session renegotiation that uses SSL version 3.x or TLS version 1.x. This may provide an attacker the ability to perform arbitrary actions on affected websites with user’s credentials. This vulnerability does not allow one to decrypt the intercepted network communication.

Information about this advisory is available at the following locations:

Note: These links take you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.

Note: F5 thanks Marsh Ray, who originally identified and reported this vulnerability.

The IETF has adopted as RFC5746: Transport Layer Security (TLS) Renegotiation Indication Extension a new extension to the TLS standard that addresses this issue. F5 Product Development has implemented this new extension beginning in BIG-IP versions 10.2.3 and 11.0.0.

Important: When session renegotiation is disabled, some browsers may log an informational message that appears similar to the following example to the console, when connecting to F5 products:

Server does not support RFC 5746, see CVE-2009-3555

Although the message implies that the F5 product to which the browser is connecting is vulnerable to this attack, all vulnerable F5 Products have been patched to disable SSL/TLS renegotiation, and some have been further enhanced to allow explicit control over renegotiation, thus mitigating this attack. For more information regarding completed and planned updates related to this vulnerability, refer to the following table. Note that ID 223836 specifically addresses this error message.

F5 Product Development is tracking this issue as follows:

CR / ID Description Affected products Included in
CR132165 /

ID 213305 | Introduce the <disable|enable> parameter to the**SSL::renegotiate** iRule command to control on a per-connection basis how TMM should respond to SSL 3.0/TLS 1.0 renegotiation requests.

Important: Client-side session renegotiation is still enabled, by default, in versions prior to 10.1.0. In these versions, you must apply an iRule using the**SSL::renegotiate disable **command to each virtual server configuration you wish to protect from this vulnerability. Refer to the mitigation section, following, for more information.

Note: For more information, refer to the DevCentral wiki page for the**SSL::renegotiate** iRule command.

| LTM, GTM, ASM, PSM, Link Controller, WebAccelerator, WOM, Enterprise Manager | BIG-IP 9.3.1 HF8
BIG-IP 9.4.8 HF2
BIG-IP 10.0.1 HF3
BIG-IP 10.1.0 and later
Enterprise Manager 2.0
Engineering Hotfix available for:
Enterprise Manager 1.8
CR132166 /

ID 213306 | Patch OpenSSL to disable midstream session renegotiation. This patch protects the Configuration utility and iControl against this vulnerability. | LTM, GTM, ASM, PSM, Link Controller, WebAccelerator, WOM, Enterprise Manager | BIG-IP 9.3.1 HF8
BIG-IP 9.4.8 HF2
BIG-IP 10.0.1 HF3
BIG-IP 10.1.0 and later
Enterprise Manager 2.0
Enterprise Manager 1.8 HF1
CR132167 /

ID 213307 | Enable midstream session renegotiation for the big3dand gtmd. This CR is a companion to CR132166, re-enabling mid-stream session renegotiation for thebig3d andgtmd processes, which maintain long-lived iQuery-over-SSL connections that are renegotiated daily. These connections are mutually authenticated using 2-way SSL authentication prior to exchanging application traffic and, thus, are not vulnerable to the man-in-the-middle attacks described in this Solution. | LTM, GTM, ASM, PSM, Link Controller, WebAccelerator, WOM, Enterprise Manager | BIG-IP 9.3.1 HF8
BIG-IP 9.4.8 HF2
BIG-IP 10.0.1 HF3
BIG-IP 10.1.0 and later
Enterprise Manager 2.0
Enterprise Manager 1.8 HF1
CR132170 /

ID 213308 | Introduce a Client SSL / ServerSSL profile option to control whether midstream session renegotiation is allowed. In versions 10.1.0 - 10.2.2, the default setting for the Client SSL profile is disabled, and the default setting for the Server SSL profile isenabled.Note: BIG-IP versions 10.2.3 and later support the Renegotiation Indication Extension. For more information, refer to SOL13512: Change in Behavior: The BIG-IP SSL profiles support the TLS Renegotiation Indication Extension.
| LTM, GTM, ASM, PSM, Link Controller, WebAccelerator, WOM | BIG-IP 10.1.0 and later

CR132172 /

ID 223836 | Implement RFC5746: Transport Layer Security (TLS) Renegotiation Indication Extension, an extension to the TLS standard for secure midstream session renegotiation. Note: For more information, refer to SOL13512: Change in Behavior: The BIG-IP SSL profiles support the TLS Renegotiation Indication Extension.
| LTM, GTM, ASM, PSM, Link Controller, WebAccelerator, WOM, Enterprise Manager | BIG-IP 10.2.3
BIG-IP 11.0.0 and later

CR132177 /
ID 295760

and

CR132177-1 /
ID 294172

| Patch OpenSSL to disable midstream session renegotiation. | FirePass |

FirePass 7.0.0 and later
FirePass 6.1.0 HF1 *
FirePass 6.0.3 hotfix-132177-1
FirePass 6.0.2 hotfix-132177-1
FirePass 5.5.2 hotfix-132177-1
FirePass 5.5.1 hotfix-132177-1
FirePass 5.5 hotfix-132177-1

Important: For version 6.1.0, the
fix for this ID was not included in
HF3 or HF4. Install the latest
cumulative hotfix.

ID 37053 | Patch or upgrade Apache Tomcat to disable session renegotiation. | ARX | ARX 6.2.0

If a named hotfix has been issued for your software version, you may download the referenced hotfix or later versions of the hotfix from the F5 Downloads site.

If an engineering hotfix has been issued for your software version, you should contact F5 Technical Support, and reference this Solution number and the associated CR number to request the hotfix.

For a list of the latest available hotfixes, refer to SOL9502: BIG-IP hotfix matrix.

For information about the F5 hotfix policy, refer to SOL4918: Overview of the F5 critical issue hotfix policy.

For information about how to manage F5 product hotfixes, refer to SOL6845: Managing F5 product hotfixes.

For information about installing version 10.x hotfixes, refer to SOL10025: Managing BIG-IP product hotfixes (10.x).

Mitigation steps for BIG-IP LTM, ASM, PSM, Link Controller, WebAccelerator, or WOM SSL virtual servers

You can use the Client SSL profile Renegotiation setting or an iRule to disable client-side session renegotiation for virtual servers. Refer to the following section that applies to your version:

Note: Applications that require session renegotiation are inherently vulnerable to the attack. Only removal of the renegotiation requirement in the application itself will eliminate the vulnerability. If session renegotiation is disabled by any of the vulnerability mitigation steps described later, without modifying the application, client connections will be dropped. For example, IE 5.0 clients accessing applications which use SGC (Server Gated Cryptography) certificates are known to require renegotiation, and their connections would be disrupted by such a configuration.

Important: Any mitigation action that re-enables session re-negotiation on patched vulnerable versions may re-expose your F5 system to this vulnerability. In some cases, iRule logic can be used to control this behavior. Refer to the following sections for details regarding your product and version.

BIG-IP versions 10.1.0 and later

BIG-IP versions 10.2.3 and later support the Renegotiation Indication Extension. SSL Renegotiation setting is Enabled, by default, in the SSL profiles, however, the system requires secure renegotiation of SSL connections. For more information, refer to SOL13512: Change in Behavior: The BIG-IP SSL profiles support the TLS Renegotiation Indication Extension.

In BIG-IP version 10.1.0, the Renegotiation setting was added to the BIG-IP Client session and Server SSL profiles as a result of ID 213308 (formerly CR132180). In versions 10.1.0 - 10.2.2, the Renegotiation setting is Disabledby default in the Client SSL profile. Virtual servers using a Client SSL profile with the Renegotiation setting configured to Disabledare protected from this vulnerability.

If necessary, you can selectively enable renegotiation using the SSL::renegotiate iRules command on a virtual server that has renegotiation disabled in its Client SSL profile. For example, an iRule similar to the following enables renegotiation only for clients within a single Class C subnet:

when CLIENTSSL_HANDSHAKE priority 1 {
if { [IP::addr [IP::client_addr] equals 192.168.222.0/24] }{
SSL::renegotiate enable
}
}

Note: For more information, refer to the DevCentral wiki page for the SSL::renegotiate iRule command. A separate DevCentral login is required to access this content; you will be redirected to authenticate or register (if necessary).

BIG-IP versions 9.3.1 HF8, 9.4.8 HF2, 10.0.1 HF3, and 10.1.0 through 10.2.x

To mitigate the vulnerability, a BIG-IP system administrator may apply iRules similar to the following to each SSL virtual server. This sample iRule uses the SSL::renegotiate command to disable client-side session renegotiation, which prevents the BIG-IP system from processing a secondary session renegotiation request:

when CLIENTSSL_HANDSHAKE priority 1 {
SSL::renegotiate disable
}

The <enable|disable>parameter was added to theSSL::renegotiate command in versions 9.3.1 HF8, 9.4.8 HF2, 10.0.1 HF3, 10.1.x, and 10.2.0 as a result of ID 213305 (formerly CR132165). In versions prior to 10.1.0, all virtual servers with a Client SSL profile applied will, by default, still accept session renegotiation.

Note: For more information, refer to the DevCentral wiki page for the SSL::renegotiate iRule command. A separate DevCentral login is required to access this content; you will be redirected to authenticate or register (if necessary).

BIG-IP versions 9.4.x, 9.3.x prior to 9.3.1 HF8, and 10.0.x prior to 10.0.1 HF3

To mitigate the vulnerability in versions that do not include the SSL::renegotiate command, apply an iRule similar to the following to each SSL virtual server. The iRule resets the connection if client-side SSL renegotiation is attempted.

when CLIENT_ACCEPTED {

initialize TLS/SSL handshake count for this connection

set sslhandshakecount 0
}
when CLIENTSSL_HANDSHAKE priority 1 {

a handshake just occurred

incr sslhandshakecount

is this the first handshake in this connection?

if { $sslhandshakecount > 1 } {

log (rate limited) the event (to /var/log/ltm)

log “\[VS [IP::local_addr]:[TCP::local_port] client [IP::remote_addr]:[TCP::remote_port]\]:TLS/SSL renegotiation”

if not, close the clientside connection

reject
}
}

Note: This example was provided by F5 DevCentral poster Lupo. The original post is available at the following location:

mitigating the TLS client-initiated renegotiation MITM attack

A separate DevCentral login is required to access this content; you will be redirected to authenticate or register (if necessary).