Lucene search

HistoryFeb 06, 2017 - 12:00 a.m.

F5 Networks BIG-IP : OpenSSL vulnerability (K43570545)

2017-02-0600:00:00

www.tenable.com

There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker’s direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from F5 Networks BIG-IP Solution K43570545.
#
# The text description of this plugin is (C) F5 Networks.
#

include("compat.inc");

if (description)
{
  script_id(96985);
  script_version("3.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/09");

  script_cve_id("CVE-2016-7055");

  script_name(english:"F5 Networks BIG-IP : OpenSSL vulnerability (K43570545)");
  script_summary(english:"Checks the BIG-IP version.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote device is missing a vendor-supplied security patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that
handles input lengths divisible by, but longer than 256 bits. Analysis
suggests that attacks against RSA, DSA and DH private keys are
impossible. This is because the subroutine in question is not used in
operations with the private key itself and an input of the attacker's
direct choice. Otherwise the bug can manifest itself as transient
authentication and key negotiation failures or reproducible erroneous
outcome of public-key operations with specially crafted input. Among
EC algorithms only Brainpool P-512 curves are affected and one
presumably can attack ECDH key negotiation."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://support.f5.com/csp/article/K43570545"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.openssl.org/news/secadv/20161110.txt"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade to one of the non-vulnerable versions listed in the F5
Solution K43570545."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/02/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"F5 Networks Local Security Checks");

  script_dependencies("f5_bigip_detect.nbin");
  script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version");

  exit(0);
}


include("f5_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
version = get_kb_item("Host/BIG-IP/version");
if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");

sol = "K43570545";
vmatrix = make_array();

# AFM
vmatrix["AFM"] = make_array();
vmatrix["AFM"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["AFM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3");

# AM
vmatrix["AM"] = make_array();
vmatrix["AM"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["AM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3");

# APM
vmatrix["APM"] = make_array();
vmatrix["APM"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1","14.0.0-14.1.0","13.0.0-13.1.0","12.0.0-12.1.3","11.2.1-11.6.3");
vmatrix["APM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");

# ASM
vmatrix["ASM"] = make_array();
vmatrix["ASM"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["ASM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");

# AVR
vmatrix["AVR"] = make_array();
vmatrix["AVR"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["AVR"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");

# LC
vmatrix["LC"] = make_array();
vmatrix["LC"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["LC"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");

# LTM
vmatrix["LTM"] = make_array();
vmatrix["LTM"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["LTM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");

# PEM
vmatrix["PEM"] = make_array();
vmatrix["PEM"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["PEM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3");


if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
{
  if (report_verbosity > 0) security_note(port:0, extra:bigip_report_get());
  else security_note(0);
  exit(0);
}
else
{
  tested = bigip_get_tested_modules();
  audit_extra = "For BIG-IP module(s) " + tested + ",";
  if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
  else audit(AUDIT_HOST_NOT, "running any of the affected modules");
}

VendorProductVersionCPE
f5big-ip_access_policy_managercpe:/a:f5:big-ip_access_policy_manager
f5big-ip_advanced_firewall_managercpe:/a:f5:big-ip_advanced_firewall_manager
f5big-ip_application_acceleration_managercpe:/a:f5:big-ip_application_acceleration_manager
f5big-ip_application_security_managercpe:/a:f5:big-ip_application_security_manager
f5big-ip_application_visibility_and_reportingcpe:/a:f5:big-ip_application_visibility_and_reporting
f5big-ip_link_controllercpe:/a:f5:big-ip_link_controller
f5big-ip_local_traffic_managercpe:/a:f5:big-ip_local_traffic_manager
f5big-ip_policy_enforcement_managercpe:/a:f5:big-ip_policy_enforcement_manager
f5big-ipcpe:/h:f5:big-ip

Vendor	Product	CPE
f5	big-ip_access_policy_manager	cpe:/a:f5:big-ip_access_policy_manager
f5	big-ip_advanced_firewall_manager	cpe:/a:f5:big-ip_advanced_firewall_manager
f5	big-ip_application_acceleration_manager	cpe:/a:f5:big-ip_application_acceleration_manager
f5	big-ip_application_security_manager	cpe:/a:f5:big-ip_application_security_manager
f5	big-ip_application_visibility_and_reporting	cpe:/a:f5:big-ip_application_visibility_and_reporting
f5	big-ip_link_controller	cpe:/a:f5:big-ip_link_controller
f5	big-ip_local_traffic_manager	cpe:/a:f5:big-ip_local_traffic_manager
f5	big-ip_policy_enforcement_manager	cpe:/a:f5:big-ip_policy_enforcement_manager
f5	big-ip	cpe:/h:f5:big-ip

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7055

support.f5.com/csp/article/K43570545

www.openssl.org/news/secadv/20161110.txt

JSON

Related for F5_BIGIP_SOL43570545.NASL