SOL93600123 - OpenSSL vulnerability CVE-2016-2107

2 IPsec is vulnerable only in phase 1 IKE (racoon), if configured to use AES-CBC.

Vulnerability Recommended Actions

If you are running a version listed in theVersions known to be vulnerablecolumn, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerablecolumn. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

BIG-IP

To mitigate this vulnerability, you should consider the following recommendations:

If SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles:

• SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)
• SOL13171: Configuring the cipher strength for SSL profiles (11.x)
• SOL13187: COMPAT SSL ciphers are no longer included in standard cipher strings

To mitigate this vulnerability for IPsec implementations, you should restrict access to the IPsec tunnel to minimize exposure, and/or consider using an IKE Phase 1 Algorithm other than AES to avoid the vulnerable code.

Impact of workaround: F5 recommends testing any such changes in an appropriate environment.

To minimize risk, access to the management interface should be restricted to minimize exposure to control-plane daemons.

To confirm support for AES-NI, on any running platform, perform the following procedure:

1. Log in to the BIG-IP command line.
2. Determine CPU support for AES-NI instructions by typing the following command:

cat /proc/cpuinfo | grep ‘^flags’ | grep aes

If nothing is returned, the CPU does not support AES-NI, and is therefore not vulnerable.
BIG-IQ/Enterprise Manager

To minimize risk, access to the management interface should be restricted to minimize exposure to control-plane daemons.

ARX

To mitigate this vulnerability, you should permit access to the ARX GUI only over a secure network.

LineRate

To mitigate this vulnerability, you can disable AES-NI processor support in the BIOS or hypervisor.

Impact of workaround: System performance will be negatively impacted by disabling this feature.

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL4602: Overview of the F5 security vulnerability response policy
• SOL167: Downloading software and firmware from F5
• SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)
• SOL9502: BIG-IP hotfix matrix