SOL16674 - TLS vulnerability CVE-2015-4000

Note: As of February 17, 2015, AskF5 Security Advisory articles include theSeverityvalue. Security Advisory articles published before this date do not list aSeverity value.

Vulnerability Recommended Actions

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

BIG-IP

11.x

Client SSL profiles are not vulnerable in a default configuration. If you have configured custom Client SSL profiles, you can mitigate this vulnerability by configuring your Client SSL profile to exclude COMPAT, EXP, and EXPORT ciphers. To do so, refer to SOL13171: Configuring the cipher strength for SSL profiles (11.x).

BIG-IP systems configured with Server SSL profiles or HTTPS health monitors are vulnerable as a client, when using EXPORT or DHE cipher suites, when the backend server supports EXPORT ciphers. To mitigate this issue, disable the use of EXPORT and DHE cipher suites. Adding !EXPORT, !COMPAT, and !DHE to the cipher string that is in use will do this, however, if a custom cipher string is in use, it must disable the use of both export and non-export grade DHE to mitigate this issue.

BIG-IP systems configured for SSL Forward Proxy are vulnerable as a client, when using EXPORT or DHE cipher suites, when the backend server supports EXPORT ciphers. To mitigate this issue, disable the use of EXPORT and DHE cipher suites. Adding !EXPORT, !COMPAT, and !DHE to the cipher string that is in use will do this, however, if a custom cipher string is in use, it must disable the use of both export and non-export grade DHE to mitigate this issue.

10.x

Client SSL profiles are not vulnerable in a default configuration. If you have configured custom Client SSL profiles, you can mitigate this vulnerability by configuring your Client SSL profile to exclude COMPAT, EXP, and EXPORT ciphers. To do so, refer to SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.x).

BIG-IP systems configured with Server SSL profiles or HTTPS health monitors are vulnerable as a client, when using EXPORT or DHE cipher suites, when the backend server supports EXPORT ciphers. To mitigate this issue, disable the use of EXPORT and DHE cipher suites. Adding !EXPORT, !COMPAT, and !DHE to the cipher string that is in use will do this, however, if a custom cipher string is in use, it must disable the use of both export and non-export grade DHE to mitigate this issue.

To mitigate this vulnerability in the BIG-IP Configuration utility, you can modify the Apache server configuration to exclude EXP and EXPORT ciphers. For example, the default SSL cipher string in your configuration may appear similar to the following example:

ALL:!ADH:!EXPORT56:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

You can mitigate this vulnerability by excluding the EXPORT and EXP ciphers by using a string similar to the following example:

ALL:!ADH:!EXPORT:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2

For more information about restricting ciphers for Configuration utility access, refer to SOL6768: Restricting Configuration utility access to clients using high encryption SSL ciphers (9.x - 10.x).

Enterprise Manager

To mitigate this vulnerability in the Enterprise Manager Configuration utility, you can modify the Apache server configuration to exclude EXP and EXPORT ciphers. For example, the default SSL cipher string in your configuration may appear similar to the following example:

ALL:!ADH:!EXPORT56:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

You can mitigate this vulnerability by excluding the EXPORT and EXP ciphers by using a string similar to the following example:

ALL:!ADH:!EXPORT:!EXP:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2

For more information about restricting ciphers for Configuration utility access, refer to SOL6768: Restricting Configuration utility access to clients using high encryption SSL ciphers (9.x - 10.x).

ARX

To mitigate this vulnerability, you can disable EXPORT grade SSL ciphers, such as SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA and SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, in the ARX GUI.

Traffix SDC

Traffix SDC configurations are not vulnerable with default cipher settings. To mitigate this vulnerability, do not configure EXPORT grade ciphers in the SDC configuration.

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4602: Overview of the F5 security vulnerability response policy
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5
• SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems