SOL13600 - SSH vulnerability CVE-2012-1493

Recommended Action

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.

To mitigate this vulnerability you can perform one or more of the following procedures, as appropriate, for your situation:

• Reconfiguring SSH access
• Mitigating the risk of exploitation
• Recovering a compromised system

Reconfiguring SSH access

If you are unable to upgrade or apply a hotfix immediately, you can safely reconfigure the system by performing the following procedure:

Impact of recommended action: None. The SSH reconfiguration tool does not affect traffic flowing through the BIG-IP system. The change made by the Configuration utility takes effect immediately, and there is no need to restart any service, including SSH.

Important: Because the configuration error that creates this vulnerability would be reintroduced by reinstalling an affected software version, F5 regards this procedure as a temporary workaround and recommends that you upgrade to a release that contains the supported fix as soon as possible.

1. From an Internet connected workstation, browse to https:/downloads.f5.com/.
2. Click Find a Download.
3. From the BIG-IP Product Family list, select theBIG-IP product line.
4. From the resulting list, select the product container named ID379600.
5. If the End User Software License agreement appears, accept it.
6. Download the id379600-fix.gz binary, theid379600-fix.gz.md5 checksum file, and optionally, theid379600-fix.README file.
7. Upload the files to a working directory, such as /var/tmp, on the affected BIG-IP/VIPRION system. For more information about uploading files to a BIG-IP system, refer to SOL175: Transferring files to or from an F5 system.
8. Log in to the BIG-IP/VIPRION command line as root (or any other user with Advanced Shell access and Role set to Administrator).
9. Change to the directory where you uploaded the files.
10. Verify the checksum of the downloaded file by typing the following command:

md5sum --check id379600-fix.gz.md5

The command should display the following output:

id379600-fix.gz: OK

Important: If the checksum verification fails, theid379600-fix.gz file was corrupted during transfer and must be downloaded again.

11. Unzip the id379600-fix.gz file by typing the following command:

gunzip id379600-fix.gz

12. Set permissions on the unzipped binary file by typing the following command:

chmod +x id379600-fix

13. Run the utility by typing the following command:

./id379600-fix

14. Once the system has been successfully reconfigured, the script displays the following output:

[!] ID379600 Livepatch
[+] ID379600 mitigated

Important: If the script produces any other output, open a case with F5 Technical Support, including any output that was displayed.

Important: The script patches only the current running slot. If there are other slots on the BIG-IP system that are installed with vulnerable versions, that slot will continue to be vulnerable until patched. Each slot must be patched individually.

Important: In the case of high availability systems, each member of a pair, cluster, or group must be patched individually by following the process above. The reconfigured system files will not be synced to a peer device.

You can further verify that your system has been successfully reconfigured by uploading a qkview file to BIG-IP iHealth. If the system has been successfully reconfigured, BIG-IP iHealth will list Heuristic H386652 on theDiagnostics>**Identified **>**Low screen. If the system has not been successfully reconfigured, BIG-IP iHealth will list Heuristic H386652 on theDiagnostics **>**Identified **>**High **screen.

Mitigating the risk of exploitation

In addition to upgrading or patching the system, you can mitigate the risk of this vulnerability by using any or all of the following approaches:

• Limit SSH administrative access to the management interface by ensuring that the port lockdown feature is configured to disallow port 22 for all self IP addresses. For more information, refer to SOL13250: Overview of port lockdown behavior (10.x - 11.x) or SOL7317: Overview of port lockdown behavior (9.x).
• Expose the management interface on only trusted networks.
• Implement appropriate external network filters, such as firewalling, to protect the management interface from unintended access.
• Restrict SSH access to affected systems by configuring specific allowed IP address ranges. To do so, follow the procedures in SOL5380: Specifying allowable IP ranges for SSH access.

Important: A strong password policy or external authentication does not help mitigate the risk from this issue.

Recovering a compromised system

If you believe your system has been compromised, F5 recommends that you perform a clean installation of the system and re-build the configuration from scratch. This will ensure that the system does not contain any compromised configuration and/or exploits.

Important: F5 recommends that you do not use any existing UCS archives to re-build the configuration unless you have verified that the UCS archive does not contain compromised configuration.

If a compromised system is part of a BIG-IP GTM sync group, you should assume all members of the sync group have been compromised. To prevent propagating a compromised configuration across the sync group as you recover the individual affected systems, break the sync group by performing a clean installation of each member, re-build the configuration from scratch on one of the reinstalled systems, and re-add the remaining reinstalled systems to the sync group.

Note: You can use thegtm_addutility to re-add a system to the sync group. For information about thegtm_add utility, refer to SOL13312: Overview of the BIG-IP GTM big3d_install, bigip_add, and gtm_add utilities (11.x) and SOL8195: Overview of the BIG-IP GTM big3d_install, bigip_add, and gtm_add utilities (9.x - 10.x).

To perform a clean installation of the system, refer to the following articles, appropriate for your version:

Impact of recommended action: The system will be unavailable until the configuration is manually re-built.

• SOL13117: Performing a clean installation of BIG-IP 11.x or Enterprise Manager 3.x
• SOL10819: Performing a clean installation of BIG-IP version 10.x or Enterprise Manager 2.x
• SOL9447: Choosing an installation method for BIG-IP version 9.x

Supplemental Information

• CVE-2012-1493

Note: This link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.

• SOL13092: Overview: Securing access to the BIG-IP system
• SOL13127: Restoring the BIG-IP configuration to factory default settings (11.x)
• SOL10519: Restoring the BIG-IP configuration to factory default settings (10.x)
• SOL7550: Restoring the BIG-IP configuration to factory default settings (9.3.x - 9.4.x)
• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4602: Overview of the F5 security vulnerability response policy
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5