SOL13400 - SSL 3.0/TLS 1.0 BEAST vulnerability CVE-2011-3389 and TLS protocol vulnerability CVE-2012-1870

If the previous table lists a version in theVersions known to be not vulnerablecolumn, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.

• BIG-IP
• FirePass
• Enterprise Manager
• ARX

Vulnerability Recommended Actions

BIG-IP

This vulnerability is exploited on the client-browser side of an SSL connection to either a virtual server or to the Configuration utility. In the case of client-browser access to a virtual server, the vulnerability is exploitable without server access, and no exploited packets are sent to the remote server. The following mitigations for this vulnerability are available for SSL profiles and the Configuration utility:

SSL Profiles

Mitigation of this vulnerability is possible for virtual servers using an SSL profile by performing one of the following procedures:

• Configuring the SSL profile to use only TLS 1.1 or TLS 1.2 compatible, or RC4-SHA ciphers

  • TLS 1.1 protocol compatible ciphers are available only for BIG-IP 11.2.0 and later.
  • TLS 1.2 protocol compatible ciphers and RC4-SHA ciphers are available only for BIG-IP 10.2.4 and later, and BIG-IP 11.0.0 and later.

• Configuring the SSL profile to use only RC4-SHA ciphers

  • RC4-SHA ciphers are available for all BIG-IP versions.
  • RC4 ciphers are not FIPS compliant.

Configuration utility

Mitigation of this vulnerability is possible for the Configuration utility by performing one of the following procedures:

• Restricting the Configuration utility to use only TLS 1.2 compatible or RC4-SHA ciphers

  • This option is available only for BIG-IP 11.5.0 and later.
  • Feature enhancements allowing the use of this procedure have also been included in the following software versions: 11.4.1 HF6, 11.4.0 HF9, 11.2.1 HF13, and 10.2.4 HF10.

• Restricting the Configuration utility to use only RC4-SHA ciphers

  • All BIG-IP versions

Configuring the SSL profile to use TLS 1.1 or TLS 1.2 compatible ciphers, or RC4-SHA ciphers

Note: Support for TLS 1.2 was introduced in BIG-IP 10.2.3 and 11.0.0.

For BIG-IP 10.2.4 and 11.x, you can mitigate this vulnerability for an SSL virtual server by configuring the SSL profile to use only TLS 1.1-compatible ciphers, TLS 1.2-compatible ciphers, or RC4-SHA ciphers. For information about configuring the ciphers used by an SSL profile, refer to the following articles:

• SOL13171: Configuring the cipher strength for SSL profiles (11.x)
• SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.x)

For example, to configure an SSL profile to use only TLS 1.1-compatible ciphers, TLS 1.2-compatible ciphers, or RC4-SHA ciphers, perform the following procedure:

Note: This workaround cannot be applied to BIG-IP 10.2.3. For more information, refer to SOL13543: The BIG-IP SSL profiles may not allow cipher strings containing AES128, AES256, or TLS1.2.

Impact of workaround: An SSL virtual server configured to use this SSL profile will use only TLS 1.1-compatible ciphers, TLS 1.2-compatible ciphers, or RC4-SHA ciphers. There is limited client browser support for TLS 1.2. Clients who do not support TLS 1.1 or 1.2 may not be able to connect, or will connect using an RC4-SHA cipher. However, RC4 ciphers are not FIPS compliant.

Important: Many client browsers do not support TLS 1.2.

1. Log in to the Configuration utility.
2. Navigate to Local Traffic >Profiles.
3. Choose Client from theSSL menu.
4. Click Create.
5. Type a name for the SSL profile.
6. From the Parent Profile menu, chooseclientssl.
7. From the Configuration menu, chooseAdvanced.
8. Click the Custom box forCiphers.
9. Delete the DEFAULT cipher string from the Ciphers box.
10. Enter the desired cipher string in the Ciphers box.

For example, the following string can configure an SSL profile to use only TLS 1.1-compatible and TLS 1.2-compatible ciphers:

DEFAULT:!SSLv3:!TLSv1

If you want the SSL profile to support TLS 1.0 and SSL 3.0 clients, use the following string:

DEFAULT:-SSLv3:-TLSv1:RC4-SHA

If you want the SSL profile to support TLS 1.0, but not SSL 3.0 clients, use the following string:

DEFAULT:!SSLv3:-TLSv1:RC4-SHA

11. Click Finished.

You must now associate the SSL profile with the virtual server.

Alternatively, to configure an SSL profile to use only TLS 1.1-compatible and TLS 1.2-compatible ciphers using thetmshutility, use the following syntax:

tmsh create /ltm profile client-ssl <name> ciphers DEFAULT:!SSLv3:!TLSv1

Similarly, if you want the SSL profile to support TLS 1.0 and SSL 3.0 clients, you can configure an SSL profile using the following tmshcommand syntax:

tmsh create /ltm profile client-ssl <name> ciphers DEFAULT:-SSLv3:-TLSv1:RC4-SHA

And if you want the SSL profile to support TLS 1.0, but not SSL 3.0 clients, you can configure an SSL profile using the following tmshcommand syntax:

tmsh create /ltm profile client-ssl <name> ciphers DEFAULT:!SSLv3:-TLSv1:RC4-SHA

****Configuring the SSL profile to use only the RC4-SHA cipher

For BIG-IP versions that do not support TLS 1.1 or 1.2, you can mitigate this vulnerability for an SSL virtual server by configuring the SSL profile to use only RC4-SHA ciphers. For example, to configure an SSL profile to use only RC4-SHA ciphers, perform the following procedure:

Impact of workaround: Only RC4-SHA ciphers are allowed. Limiting the ciphers supported by the SSL profile may result in clients being unable to establish an SSL connection.

1. Log in to the Configuration utility.
2. Navigate to Local Traffic >Profiles.
3. From the SSL menu, chooseClient.
4. Click Create.
5. Type a name for the SSL profile.
6. From the Parent Profile menu, chooseclientssl.
7. From the Configuration menu, chooseAdvanced.
8. Click the Custom box forCiphers.
9. Delete the DEFAULT cipher string from the Ciphers box.
10. Enter the desired cipher string in the Ciphers box.

For example, the following string would configure an SSL profile to use only RC4-SHA ciphers:

RC4-SHA

11. Click Finished.

You must now associate the SSL profile with the virtual server.

Note: Alternatively, to configure an SSL profile to use only RC4-SHA ciphers using the** tmsh**utility, use the following syntax:

tmsh create /ltm profile client-ssl <name> ciphers RC4-SHA

Restricting the Configuration utility to use only TLS 1.2 compatible or RC4-SHA ciphers

Note: Support for TLS 1.2 in the Configuration utility was introduced in BIG-IP 11.5.0.

For BIG-IP 11.5.0 and later, you can mitigate this vulnerability for the Configuration utility by restricting the utility to use only TLS 1.2-compatible ciphers or RC4-SHA ciphers. For example, to restrict the utility to use only TLS 1.2-compatible ciphers or RC4-SHA ciphers, perform the following procedure:

Note: Feature enhancements allowing the use of this procedure have also been included in the following software versions: 11.4.1 HF6, 11.4.0 HF9, 11.2.1 HF13, and 10.2.4 HF10.

Impact of workaround: The Configuration utility will use only TLS 1.2-compatible ciphers or RC4-SHA ciphers. There is limited client browser support. TLS 1.2.Clients who do not support TLS 1.2 may not be able to connect, or will connect using an RC4-SHA cipher.

Important: Many client browsers do not support TLS 1.2.

1. Log in to the Traffic Management Shell (tmsh) by typing the following command:

tmsh

2. Before you change the SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, type the following command:

list /sys httpd ssl-ciphersuite

For example, the BIG-IP 11.5.1 system displays the following cipher string:

ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2

3. To restrict Configuration utility access to clients using TLS 1.2 or RC4-SHA ciphers, type the following command:

modify /sys httpd ssl-ciphersuite ‘ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA’

Alternatively, if you can restrict to only TLS 1.1 and TLS 1.2 ciphers, then type the following command instead:

modify /sys httpd ssl-ciphersuite ‘ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1’

4. Save the configuration change by typing the following command:

save /sys config

Restricting the Configuration utility to use only RC4-SHA ciphers

For BIG-IP versions that do not support TLS 1.2, you can mitigate this vulnerability for the Configuration utility by restricting the utility to use only RC4-SHA ciphers. For example, to restrict the utility to use only RC4-SHA ciphers, perform the following procedure:

Impact of workaround: Only RC4-SHA ciphers are allowed. Limiting the ciphers supported by The Configuration utility may result in clients being unable to connect.

1. Log in to the Traffic Management Shell (tmsh) by typing the following command:

tmsh

2. Before you change the SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, type the following command:

list /sys httpd ssl-ciphersuite

For example, the BIG-IP 11.5.1 system displays the following cipher string:

ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2

3. To restrict Configuration utility access to clients using RC4-SHA ciphers, type the following command:

modify /sys httpd ssl-ciphersuite ‘RC4-SHA’

4. Save the configuration change by typing the following command:

save /sys config

FirePass

• None

Enterprise Manager

• None

ARX

• None

Supplemental Information

• SOL8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles

• SOL13171: Configuring the cipher strength for SSL profiles (11.x)

• SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.x)

• SOL13405: Restricting Configuration utility access to clients using high encryption SSL ciphers (11.x)

• SOL13309: Restricting access to the Configuration utility by source IP address (11.x)

• SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)

• SOL11444: SSL ciphers supported on BIG-IP platforms (10.x)

• SOL13156: SSL ciphers used in the default SSL profiles (11.x)

• SOL10262: SSL ciphers used in the default SSL profiles (10.x)

• SOL9677: BIG-IP LTM compliance with standard FIPS-197

• SOL9970: Subscribing to email notifications regarding F5 products

• SOL9957: Creating a custom RSS feed to view new and updated documents
  Note: The following link takes you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.

• <http://vnhacker.blogspot.com/2011/09/beast.html&gt;

Note: For more information about various TLS protocol level attacks and F5 recommendations for mitigating the attacks, refer to the following DevCentral article:

• Which TLS algorithm should I use?