Applies To:

Show Versions Show Versions

sol15159: OpenSSL vulnerability CVE-2014-0160
Security AdvisorySecurity Advisory

Original Publication Date: 04/08/2014
Updated Date: 06/27/2014

Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.(CVE-2014-0160)

Impact

A malicious user can exploit vulnerable systems and retrieve information from memory. This information may potentially include user credentials or the private keys used for Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS). For information about vulnerable components or features, refer to the following list:

  • Virtual servers using an SSL profile configured with the default Native SSL ciphers are not vulnerable. Only virtual servers using an SSL profile configured to use ciphers from the COMPAT SSL stack are vulnerable in BIG-IP 11.5.0 and 11.5.1. In addition, virtual servers that do not use SSL profiles and pass SSL traffic to the back-end web servers will not protect the back-end resource servers.
  • The Configuration utility and other services, such as iControl, are vulnerable.
  • The big3d process included with BIG-IP GTM 11.5.0 and 11.5.1 is vulnerable. In addition, monitored BIG-IP systems whose big3d process was updated by an affected BIG-IP GTM system are also vulnerable.
  • The big3d process included with Enterprise Manager 3.1.1 HF1 - HF2 is vulnerable. In addition, monitored BIG-IP systems whose big3d process was updated by an affected Enterprise Manager system are also vulnerable.
  • The BIG-IP Edge Client for Android is not vulnerable. However, the BIG-IP Edge Client for Windows, Mac OS, and Linux is vulnerable. An attacker can retrieve sensitive information by using the stated vulnerability in the following scenarios:

    • User is tricked into connecting to any malicious SSL server.
    • User connects to a compromised FirePass or BIG-IP APM system.

Status

F5 Product Development has assigned ID 456033 (BIG-IP), ID 456302 (BIG-IP Edge Client for Windows, Mac OS, and Linux), and ID 456345 (BIG-IP Edge Client for Apple iOS) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H456276 on the Diagnostics > Identified > Low|High screen.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature
BIG-IP LTM 11.5.0 - 11.5.1
11.5.1 HF1 - HF2
11.5.0 HF2 - HF3
11.0.0 - 11.4.1
10.0.0 - 10.2.4
Configuration utility
big3d
COMPAT SSL ciphers
BIG-IP AAM 11.5.0 - 11.5.1
11.5.1 HF1 - HF2
11.5.0 HF2 - HF3
11.4.0 - 11.4.1
Configuration utility
big3d
COMPAT SSL ciphers
BIG-IP AFM 11.5.0 - 11.5.1
11.5.1 HF1 - HF2
11.5.0 HF2 - HF3
11.3.0 - 11.4.1
Configuration utility
big3d
COMPAT SSL ciphers
BIG-IP Analytics 11.5.0 - 11.5.1
11.5.1 HF1 - HF2
11.5.0 HF2 - HF3
11.0.0 - 11.4.1
Configuration utility
big3d
COMPAT SSL ciphers
BIG-IP APM 11.5.0 - 11.5.1
11.5.1 HF1 - HF2
11.5.0 HF2 - HF3
11.0.0 - 11.4.1
10.1.0 - 10.2.4
Configuration utility
big3d
COMPAT SSL ciphers
BIG-IP ASM 11.5.0 - 11.5.1
11.5.1 HF1 - HF2
11.5.0 HF2 - HF3
11.0.0 - 11.4.1
10.0.0 - 10.2.4
Configuration utility
big3d
COMPAT SSL ciphers
BIG-IP Edge Gateway
None 11.0.0 - 11.3.0
10.1.0 - 10.2.4
None
BIG-IP GTM 11.5.0 - 11.5.1
11.5.1 HF1 - HF2
11.5.0 HF2 - HF3
11.0.0 - 11.4.1
10.0.0 - 10.2.4
Configuration utility
big3d
COMPAT SSL ciphers
BIG-IP Link Controller 11.5.0 - 11.5.1
11.5.1 HF1 - HF2
11.5.0 HF2 - HF3
11.0.0 - 11.4.1
10.0.0 - 10.2.4
Configuration utility
big3d
COMPAT SSL ciphers
BIG-IP PEM 11.5.0 - 11.5.1
11.3.0 - 11.4.1
Configuration utility
big3d
COMPAT SSL ciphers
BIG-IP PSM None
11.0.0 - 11.4.1
10.0.0 - 10.2.4
None
BIG-IP WebAccelerator None 11.0.0 - 11.3.0
10.0.0 - 10.2.4
None
BIG-IP WOM None 11.0.0 - 11.3.0
10.0.0 - 10.2.4
None
ARX None 6.0.0 - 6.4.0
None
Enterprise Manager 3.1.1 HF1 - HF2
3.0.0 - 3.1.1
2.1.0 - 2.3.0
big3d
FirePass None 7.0.0
6.0.0 - 6.1.0
None
BIG-IQ Cloud None
4.0.0 - 4.3.0
None
BIG-IQ Device None
4.2.0 - 4.3.0
None
BIG-IQ Security None
4.0.0 - 4.3.0
None
FirePass Clients None 5520-6032 None
BIG-IP Edge Portal for iOS None 1.0.0 - 1.0.3 None
BIG-IP Edge Portal for Android None 1.0.0 - 1.0.2 None
BIG-IP Edge Clients for Android
None
2.0.3 - 2.0.4
None
BIG-IP Edge Clients for Apple iOS
2.0.0 - 2.0.1
1.0.5 - 1.0.6
2.0.2
1.0.0 - 1.0.4
VPN
BIG-IP Edge Clients for Linux
7080.* - 7080.2014.408.*
7090.* - 7090.2014.407.*
7091.* - 7091.2014.408.*
7100.* - 7100.2014.408.*
7101.* - 7101.2014.407.*
6035 - 7071
7080.2014.409.*
7090.2014.408.*
7091.2014.409.*
7100.2014.409.* (11.5.0 HF3)
7101.2014.408.* (11.5.1 HF2)
VPN
BIG-IP Edge Clients for MAC OS X
7080.* - 7080.2014.408.*
7090.* - 7090.2014.407.*
7091.* - 7091.2014.408.*
7100.* - 7100.2014.408.*
7101.* - 7101.2014.407.*
6035 - 7071
7080.2014.409.*
7090.2014.408.*
7091.2014.409.*
7100.2014.409.* (11.5.0 HF3)
7101.2014.408.* (11.5.1 HF2)
VPN
BIG-IP Edge Clients for Windows
7080.* - 7080.2014.408.*
7090.* - 7090.2014.407.*
7091.* - 7091.2014.408.*
7100.* - 7100.2014.408.*
7101.* - 7101.2014.407.*
6035 - 7071
7080.2014.409.*
7090.2014.408.*
7091.2014.409.*
7100.2014.409.* (11.5.0 HF3)
7101.2014.408.* (11.5.1 HF2)
VPN
LineRate None 2.2.0 None

Important: For the hotfixes noted above, the included version of OpenSSL has not been changed. F5 has patched the existing version of OpenSSL to resolve this vulnerability. As a result, on a patched BIG-IP system, the OpenSSL version is still OpenSSL 1.0.1e-fips. For more information about installed hotfix versions, refer to SOL13123: Managing BIG-IP product hotfixes (11.x).

BIG-IP Edge Client fixes

This issue has been fixed for BIG-IP Edge Clients for Windows, Mac OS, and Linux in BIG-IP APM 11.5.1 HF2, and 11.5.0 HF3. This issue has also been fixed for BIG-IP Edge Clients for Windows, Mac OS, and Linux in an engineering hotfix in other BIG-IP APM versions. You can obtain the engineering hotfix by contacting F5 Technical Support and referencing this article number and the associated ID number. Note that engineering hotfixes are intended to resolve a specific software issue until a suitable minor release, maintenance release, or cumulative hotfix rollup release is available that includes the software fix. For more information, refer to SOL8986: F5 software lifecycle policy.

Recommended action

You can eliminate this vulnerability by running a version listed in the Versions known to be not vulnerable column. If the Versions known to be not vulnerable column does not list a version that is higher than the version you are running, then no upgrade candidate currently exists.

Upgrading to a version known to be not vulnerable, or taking steps to mitigate this vulnerability, does not eliminate possible damage that may have already occurred as a result of this vulnerability. After upgrading to a version that is known to be not vulnerable, consider the following components that may have been compromised by this vulnerability:

SSL profile certificate/key pairs

The BIG-IP SSL profiles may reference SSL certificate/key pairs that were compromised. For information about creating new SSL certificate/key pairs for SSL profiles, refer to the following articles:

BIG-IP device certificate/key pairs

The BIG-IP system may have a device certificate/key pair that was compromised. For information about creating new SSL certificate/key pairs, refer to the following articles:

Important: After you generate a new device certificate and private key pair, you will need to re-establish device trusts. In addition, the device certificates are used for GTM sync groups and Enterprise Manager monitoring. As a result, you will need to recreate the GTM sync groups and rediscover devices managed by Enterprise Manager.

CMI certificate/key pairs

The BIG-IP system may have a CMI certificate/key pair (used for device group communication and synchronization) that was compromised. To regenerate the CMI certificate/key pairs on devices in a device group, and rebuild the device trust, perform the following procedure:

Impact of procedure: F5 recommends that you perform this procedure during a maintenance window. This procedure causes the current device to lose connectivity with all other BIG-IP devices. Depending on the device group and traffic group configuration, the connectivity loss may result in an unintentional active-active condition that causes a traffic disruption. To prevent a standby device from going active, set the standby device in the device group to Force Offline before performing the procedure. Standby devices that were set to Force Offline should be set to Release Offline after performing the procedure.

  1. Log in to the Configuration utility.
  2. Navigate to Device Management > Device Trust > Local Domain.
  3. Click Reset Device Trust.
  4. Select the Generate new self-signed authority option.
  5. Click Update (or Next).
  6. Click Finished.

Repeat this procedure for each device in the device group.

After you complete the device trust reset on all devices, set up the device trust by performing the procedures described in the following articles:

The big3d process

The BIG-IP system may have a vulnerable version of the big3d process under the following conditions:

  • The BIG-IP GTM system is running 11.5.0 or 11.5.1.
  • The managed BIG-IP system is running a big3d process that was updated by an affected BIG-IP GTM system. For example, the big3d process included by default on a BIG-IP LTM system running 11.4.0 is not vulnerable by itself. However, if a BIG-IP GTM system running 11.5.0 or 11.5.1 installs big3d 11.5.0 on the BIG-IP LTM system, the BIG-IP LTM system becomes vulnerable due to the affected big3d process.
  • The Enterprise Manager system is running 3.1.1 HF1 or HF2.
  • The managed BIG-IP system is running a big3d process that was updated by an affected Enterprise Manager system. For example, the big3d process included by default on a BIG-IP LTM system running 11.4.0 is not vulnerable by itself. However, if an Enterprise Manager system running 3.1.1 HF1 or HF2 installs big3d on the BIG-IP LTM system, the BIG-IP LTM system becomes vulnerable due to the affected big3d process.

Affected big3d versions

The following big3d versions are affected by this vulnerability:

  • big3d version 11.5.0.0.0.221 for Linux        
  • big3d version 11.5.0.1.0.227 for Linux    
  • big3d version 11.5.1.0.0.110 for Linux

For information about checking the big3d version currently installed on the system and installing updated big3d versions on managed systems, refer to the following article:

BIG-IP maintenance and user passwords

The maintenance and user passwords used to access the BIG-IP system may have been compromised. For information about changing user passwords, refer to the following documentation:

Mitigating this vulnerability

To mitigate this vulnerability, you should consider the following recommendations:

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)