SOL14741 - OpenSSH vulnerability CVE-2010-5107

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable**column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.

F5 recommends that you allow SSH access to the administrative port only from a secure network.

BIG-IP / BIG-IQ mitigation

To mitigate this vulnerability in the BIG-IP system and the BIG-IQ system, you can enable random early drop by way of theMaxStartupsoption of the**sshd **configuration on the BIG-IP system. The default configuration allows for 10 connections to be in an unauthenticated state. In this situation, a TCP connection has been established, but SSH is waiting for login credentials. This type of denial-of-service (DoS) attack ties up network services and prevents others from logging in using SSH.

Alternatively, you can enable random early drop by specifying the three colon-separated valuesstart:rate:full. After the number of unauthenticated connection reaches the value specified bystart,sshd will begin to refuse new connections at a percentage specified byrate. The proportional rate of refused connections then increases linearly as the limit specified byfull is approached, until 100% is reached. At that point, all new attempts to connect are refused until the unauthenticated SSH session TCP connections time out.

For example, if MaxStartups were configured with the value10:30:60, then after10connections pending authentication,sshd would begin to drop30%of the new connections. If unauthenticated connections increase to60, then100% of the new connections are dropped until the backlog subsides.

To enable random early drop, perform the following procedure:

Impact of workaround: Increasing the number of allowed connections in an unauthenticated state will increase the amount of memory needed to maintain those TCP connections. Use care when increasing these numbers beyond the values quoted in the following procedure.

1. Log in to the Traffic Management Shell (tmsh) by typing the following command:

tmsh

2. Configure the MaxStartups option using the following command syntax:

modify /sys sshd include ‘MaxStartups start:rate:full’

For example, set MaxStartups to10:30:60 by typing the following command:

modify /sys sshd include ‘MaxStartups 10:30:60’

3. Save the change by typing the following command:

save /sys config

4. Restart sshdby typing the following command:

restart /sys service sshd

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5
• SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)
• SOL10025: Managing BIG-IP product hotfixes (10.x)
• SOL6845: Managing BIG-IP product hotfixes (9.x)