SOL13607 - Hosts may generate weak RSA keys under low entropy conditions

2012-06-05T00:00:00
ID SOL13607
Type f5
Reporter f5
Modified 2016-07-25T00:00:00

Description

A recent study, linked in the Supplemental Information section, has revealed that when a system generates new RSA keys under low-entropy conditions, such as during the first system boot, the resulting keys may not be cryptographically strong.

During its first boot, the BIG-IP system generates several RSA keys for use in authenticating itself to peer devices and services.

The following key is generated during first system boot on all affected software versions, and may be susceptible to this issue:

  • The SSH host key

Additionally, beginning in BIG-IP 10.2.0, the following keys are generated during first system boot and may be susceptible to this issue:

  • The RSA key used for the management web server and for iQuery communication with other F5 systems
  • The clientssl and serverssl profile self-signed default public key
  • The BIND rndc private key (by default, this key is only used locally)

Note:Â In BIG-IP 9.0.0 through 10.1.0, these keys are generated as the BIG-IP software is installed, when the entropy of the system is higher, and F5 does not believe that the keys are susceptible to this issue.

All other keys that were generated on the BIG-IP system after the BIG-IP software is installed are created using sufficient entropy and are considered cryptographically strong.

Important: Keys that were generated by non-F5 devices and imported to the BIG-IP system are outside the scope of this article. Refer to your key provider for help in determining susceptibility.

Likelihood of exploitation

Low

Impact

An attacker could theoretically decrypt network traffic or impersonate your device.

Security Issue Status

F5 Product Development has assigned ID 379893, ID 386750, and ID 387444 to this vulnerability. To find out whether F5 has determined that your release is vulnerable, and to obtain information about releases or hotfixes that resolve the vulnerability, refer to the following table:

Product | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature
---|---|---|---
BIG-IP LTM | 11.1.0 - 11.1.0-HF2
11.0.0 - 11.0.0
10.0.0 - 10.2.3
9.0.0 - 9.4.8
| 11.1.0-HF3 and later
10.2.4 and later

| Management web server
SSH access
BIND rndc
Default client SSL profile
Default server SSL profile

BIG-IP GTM | 11.1.0 - 11.1.0-HF2
11.0.0 - 11.0.0
10.0.0 - 10.2.3
9.0.0 - 9.4.8
| 11.1.0-HF3 and later
10.2.4 and later
| Management web server
SSH access
BIND rndc

BIG-IP ASM | 11.1.0 - 11.1.0-HF2
11.0.0 - 11.0.0
10.0.0 - 10.2.3
9.0.0 - 9.4.8
| 11.1.0-HF3 and later
10.2.4 and later
| Management web server
SSH access
BIND rndc
Default client SSL profile
Default server SSL profile

BIG-IP Link Controller | 11.1.0 - 11.1.0-HF2
11.0.0 - 11.0.0
10.0.0 - 10.2.3
9.0.0 - 9.4.8
| 11.1.0-HF3 and later
10.2.4 and later
| Management web server
SSH access
BIND rndc

BIG-IP WebAccelerator | 11.1.0 - 11.1.0-HF2
11.0.0 - 11.0.0
10.0.0 - 10.2.3
9.0.0 - 9.4.8
| 11.1.0-HF3 and later
10.2.4 and later
| Management web server
SSH access
BIND rndc
Default client SSL profile
Default server SSL profile

BIG-IP PSM | 11.1.0 - 11.1.0-HF2
11.0.0 - 11.0.0
10.0.0 - 10.2.3
9.0.0 - 9.4.8
| 11.1.0-HF3 and later
10.2.4 and later
| Management web server
SSH access
BIND rndc
Default client SSL profile
Default server SSL profile
BIG-IP WOM | 11.1.0 - 11.1.0-HF2
11.0.0 - 11.0.0
10.0.0 - 10.2.3

| 11.1.0-HF3 and later
10.2.4 and later
| Management web server
SSH access
BIND rndc
Default client SSL profile
Default server SSL profile

BIG-IP APM | 11.1.0 - 11.1.0-HF2
11.0.0 - 11.0.0
10.1.0 - 10.2.3
| 11.1.0-HF3 and later
10.2.4 and later
| Management web server
SSH access
BIND rndc
Default client SSL profile
Default server SSL profile
BIG-IP Edge Gateway
| 11.1.0 - 11.1.0-HF2
11.0.0 - 11.0.0
10.1.0 - 10.2.3
| 11.1.0-HF3 and later
10.2.4 and later
| Management web server
SSH access
BIND rndc
Default client SSL profile
Default server SSL profile
BIG-IP Analytics
| 11.1.0 - 11.1.0-HF2
11.0.0 - 11.0.0
| 11.1.0-HF3 and later | Management web server
SSH access

FirePass | None | 7.x
6.x
| None
Enterprise Manager | 2.x
1.x
| None
| Management web server
SSH access

ARX | None
| 6.x
5.x | None

Vulnerability Recommended Actions

Important: Upgrading to a version known to be not vulnerable does not eliminate the potential for this vulnerability. To eliminate this vulnerability on systems originally installed using a vulnerable version, you must regenerate any suspect keys.

To eliminate this vulnerability, generate new keys to replace any that may be affected. After the BIG-IP software is installed, there is sufficient entropy to generate cryptographically strong keys. Perform the following procedures as they apply to your situation:

  • Generate a new web server key if it the existing key was generated 2 or more years ago, or if it is a 1024 bit key. To do so, perform the procedures in SOL9114: Creating a new SSL device certificate and key pair.
  • Generate a new host key if the existing key has not been regenerated since the system was installed. To do so, perform the procedures in SOL13532: Regenerating SSH host keys.
  • Generate a new BIND rndc key if the existing key has not been regenerated since the system was installed. To do so, perform the procedures in SOL13485: Re-generating BIND rndc keys.
  • Avoid using the default key when creating Client SSL and Server SSL profiles. Alternatively, you can generate a new default key. To do so, perform the procedures in SOL13579: Generating new default certificate and key pairs for the Client SSL and Server SSL profiles.

In addition to regenerating any suspect keys, you can mitigate the risk of this vulnerability using any or all of the following approaches:

  • Limit administrative access to the management interface by ensuring the port lockdown feature is configured to disallow port 22 and port 443 for all self IP addresses. For more information, refer to SOL13250: Overview of port lockdown behavior (10.x - 11.x) or SOL7317: Overview of port lockdown behavior (9.x).
  • Expose the administrative interface only on trusted networks.
  • Implement appropriate external network filters, such as firewalling, to protect the administrative interface from unintended access.
  • Restrict SSH access to affected systems by configuring specific allowed IP address ranges. To do so, perform the procedures in SOL5380: Specifying allowable IP ranges for SSH access.