SOL15159 - OpenSSL vulnerability CVE-2014-0160

2014-04-08T00:00:00
ID SOL15159
Type f5
Reporter f5
Modified 2015-02-16T00:00:00

Description

Important: For the hotfixes noted previously, the included version of OpenSSL has not been changed. F5 has patched the existing version of OpenSSL to resolve this vulnerability. As a result, on a patched BIG-IP system, the OpenSSL version is still OpenSSL 1.0.1e-fips. For more information about installed hotfix versions, refer to SOL13123: Managing BIG-IP product hotfixes (11.x).

BIG-IP Edge Client fixes

This issue has been fixed for BIG-IP Edge Clients for Windows, Mac OS, and Linux in BIG-IP APM 11.5.1 HF2, and 11.5.0 HF3. This issue has also been fixed for BIG-IP Edge Clients for Windows, Mac OS, and Linux in an engineering hotfix in other BIG-IP APM versions. You can obtain the engineering hotfix by contacting F5 Technical Support and referencing this article number and the associated ID number. Note that engineering hotfixes are intended to resolve a specific software issue until a suitable minor release, maintenance release, or cumulative hotfix rollup release is available that includes the software fix. For more information, refer to SOL8986: F5 software lifecycle policy.

Recommended action

You can eliminate this vulnerability by running a version listed in the Versions known to be not vulnerable column. If the Versions known to be not vulnerable column does not list a version that is higher than the version you are running, then no upgrade candidate currently exists.

Upgrading to a version known to be not vulnerable, or taking steps to mitigate this vulnerability, does not eliminate possible damage that may have already occurred as a result of this vulnerability. After upgrading to a version that is known to be not vulnerable, consider the following components that may have been compromised by this vulnerability:

SSL profile certificate/key pairs

The BIG-IP SSL profiles may reference SSL certificate/key pairs that were compromised. For information about creating new SSL certificate/key pairs for SSL profiles, refer to the following articles:

  • SOL14620: Managing SSL certificates for BIG-IP systems
  • SOL14534: Creating SSL certificates and keys with OpenSSL (11.x)

  • SOL13579: Generating new default certificate and key pairs for BIG-IP SSL profiles

BIG-IP device certificate/key pairs

The BIG-IP system may have a device certificate/key pair that was compromised. For information about creating new SSL certificate/key pairs, refer to the following articles:

  • SOL9114: Creating an SSL device certificate and key pair using OpenSSL
  • SOL7754: Renewing self-signed device certificates

Important: After you generate a new device certificate and private key pair, you will need to re-establish device trusts. In addition, the device certificates are used for GTM sync groups and Enterprise Manager monitoring. As a result, you will need to recreate the GTM sync groups and rediscover devices managed by Enterprise Manager.

CMI certificate/key pairs

The BIG-IP system may have a CMI certificate/key pair (used for device group communication and synchronization) that was compromised. To regenerate the CMI certificate/key pairs on devices in a device group, and rebuild the device trust, perform the following procedure:

Impact of procedure: F5 recommends that you perform this procedure during a maintenance window. This procedure causes the current device to lose connectivity with all other BIG-IP devices. Depending on the device group and traffic group configuration, the connectivity loss may result in an unintentional active-active condition that causes a traffic disruption. To prevent a standby device from going active, set the standby device in the device group to Force Offline before performing the procedure. Standby devices that were set to Force Offline should be set to Release Offline after performing the procedure.

  1. Log in to the Configuration utility.
  2. Navigate to Device Management > Device Trust > Local Domain.
  3. Click Reset Device Trust.
  4. Select the Generate new self-signed authority option.
  5. Click Update (or Next).
  6. Click Finished.

Repeat this procedure for each device in the device group.

After you complete the device trust reset on all devices, set up the device trust by performing the procedures described in the following articles:

  • SOL13649: Creating a device group using the Configuration utility
  • SOL13639: Creating a device group using the Traffic Management Shell
  • SOL13946: Troubleshooting ConfigSync and device service clustering issues (11.x)

The big3d process

The BIG-IP system may have a vulnerable version of the big3d process under the following conditions:

  • The BIG-IP GTM system is running 11.5.0 or 11.5.1.
  • The managed BIG-IP system is running a big3d process that was updated by an affected BIG-IP GTM system. For example, the big3d process included by default on a BIG-IP LTM system running 11.4.0 is not vulnerable by itself. However, if a BIG-IP GTM system running 11.5.0 or 11.5.1 installs big3d 11.5.0 on the BIG-IP LTM system, the BIG-IP LTM system becomes vulnerable due to the affected big3d process.
  • The Enterprise Manager system is running 3.1.1 HF1 or HF2.
  • The managed BIG-IP system is running a big3d process that was updated by an affected Enterprise Manager system. For example, the big3d process included by default on a BIG-IP LTM system running 11.4.0 is not vulnerable by itself. However, if an Enterprise Manager system running 3.1.1 HF1 or HF2 installs big3d on the BIG-IP LTM system, the BIG-IP LTM system becomes vulnerable due to the affected big3d process.

Affected big3d versions

The following big3d versions are affected by this vulnerability:

  • big3d version 11.5.0.0.0.221 for Linux

  • big3d version 11.5.0.1.0.227 for Linux

  • big3d version 11.5.1.0.0.110 for Linux

For information about checking the big3d version currently installed on the system and installing updated big3d versions on managed systems, refer to the following article:

  • SOL13703: Overview of big3d version management

BIG-IP maintenance and user passwords

The maintenance and user passwords used to access the BIG-IP system may have been compromised. For information about changing user passwords, refer to the following documentation:

  • SOL13121: Changing system maintenance account passwords (11.x)
  • BIG-IP TMOS: Concepts guide

Mitigating this vulnerability

To mitigate this vulnerability, you should consider the following recommendations:

  • Consider denying access to the Configuration utility and using only the command line and tmsh until the BIG-IP system is updated. If that is not possible, F5 recommends that you access the Configuration utility only over a secure network.
  • If SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles:

    • SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)
    • SOL13171: Configuring the cipher strength for SSL profiles (11.x)
    • SOL13187: COMPAT SSL ciphers are no longer included in standard cipher strings
    • Virtual servers that do not use SSL profiles and pass SSL traffic through to the back-end web servers will not protect the back-end resource servers. When possible, you should protect back-end resources by using SSL profiles to terminate SSL. For more information about using iRules to protect the back-end servers, refer to the Supplemental Information section.

Supplemental Information

Important: The following DevCentral article contains additional information about using iRules to assist in mitigating this vulnerability when terminating TLS traffic on back-end servers. F5 does not officially support the iRules in the following article, and information in the article does not represent a fix for the vulnerability. * DevCentral article: OpenSSL HeartBleed, CVE-2014-0160 * SOL14783: Overview of the Client SSL profile (11.x) * SOL12463: Overview of F5 Edge products * SOL13757: BIG-IP Edge Client version matrix * SOL9970: Subscribing to email notifications regarding F5 products * SOL9957: Creating a custom RSS feed to view new and updated documents * SOL4602: Overview of the F5 security vulnerability response policy * SOL4918: Overview of the F5 critical issue hotfix policy * SOL167: Downloading software and firmware from F5 * SOL13123: Managing BIG-IP product hotfixes (11.x) * SOL10025: Managing BIG-IP product hotfixes (10.x) * SOL9502: BIG-IP hotfix matrix * SOL10322: FirePass hotfix matrix