7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
0.233 Low
EPSS
Percentile
96.1%
Recommended Action
If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.
F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.
To mitigate this vulnerability you can perform one or more of the following procedures, as appropriate, for your situation:
Reconfiguring SSH access
If you are unable to upgrade or apply a hotfix immediately, you can safely reconfigure the system by performing the following procedure:
Impact of recommended action: None. The SSH reconfiguration tool does not affect traffic flowing through the BIG-IP system. The change made by the Configuration utility takes effect immediately, and there is no need to restart any service, including SSH.
Important: Because the configuration error that creates this vulnerability would be reintroduced by reinstalling an affected software version, F5 regards this procedure as a temporary workaround and recommends that you upgrade to a release that contains the supported fix as soon as possible.
md5sum --check id379600-fix.gz.md5
The command should display the following output:
id379600-fix.gz: OK
Important: If the checksum verification fails, theid379600-fix.gz file was corrupted during transfer and must be downloaded again.
gunzip id379600-fix.gz
chmod +x id379600-fix
./id379600-fix
[!] ID379600 Livepatch
[+] ID379600 mitigated
Important: If the script produces any other output, open a case with F5 Technical Support, including any output that was displayed.
Important: The script patches only the current running slot. If there are other slots on the BIG-IP system that are installed with vulnerable versions, that slot will continue to be vulnerable until patched. Each slot must be patched individually.
Important: In the case of high availability systems, each member of a pair, cluster, or group must be patched individually by following the process above. The reconfigured system files will not be synced to a peer device.
You can further verify that your system has been successfully reconfigured by uploading a qkview file to BIG-IP iHealth. If the system has been successfully reconfigured, BIG-IP iHealth will list Heuristic H386652 on theDiagnostics>**Identified **>**Low screen. If the system has not been successfully reconfigured, BIG-IP iHealth will list Heuristic H386652 on theDiagnostics **>**Identified **>**High **screen.
Mitigating the risk of exploitation
In addition to upgrading or patching the system, you can mitigate the risk of this vulnerability by using any or all of the following approaches:
Important: A strong password policy or external authentication does not help mitigate the risk from this issue.
Recovering a compromised system
If you believe your system has been compromised, F5 recommends that you perform a clean installation of the system and re-build the configuration from scratch. This will ensure that the system does not contain any compromised configuration and/or exploits.
Important: F5 recommends that you do not use any existing UCS archives to re-build the configuration unless you have verified that the UCS archive does not contain compromised configuration.
If a compromised system is part of a BIG-IP GTM sync group, you should assume all members of the sync group have been compromised. To prevent propagating a compromised configuration across the sync group as you recover the individual affected systems, break the sync group by performing a clean installation of each member, re-build the configuration from scratch on one of the reinstalled systems, and re-add the remaining reinstalled systems to the sync group.
Note: You can use thegtm_addutility to re-add a system to the sync group. For information about thegtm_add utility, refer to SOL13312: Overview of the BIG-IP GTM big3d_install, bigip_add, and gtm_add utilities (11.x) and SOL8195: Overview of the BIG-IP GTM big3d_install, bigip_add, and gtm_add utilities (9.x - 10.x).
To perform a clean installation of the system, refer to the following articles, appropriate for your version:
Impact of recommended action: The system will be unavailable until the configuration is manually re-built.
Supplemental Information
Note: This link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.