F5 Networks BIG-IP : OpenSSL vulnerability (K15356)

High Nessus Plugin ID 78180

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment. (CVE-2014-0195)

Impact

An attacker may be able to exploit an OpenSSL Datagram Transport Layer Security (DTLS) client or server by sending invalid DTLS fragments. As a result, the attacker may be able to run arbitrary code or cause a denial-of-service (DoS).

Server-side impact for F5 products

The server-side components are vulnerable in the event that an attacker is able to launch an attack from a client to an affected server component. BIG-IP 11.3.0 and earlier contains the following vulnerable server-side code :

COMPAT SSL ciphers Virtual servers using a ClientSSL profile configured to use ciphers from the COMPAT SSL stack are vulnerable to this attack. The BIG-IP ClientSSL profile enables the BIG-IP system to accept and terminate client requests that are sent using the SSL protocol. In this context, the BIG-IP system functions as an SSL server, handling incoming SSL traffic.

Note : NATIVE SSL ciphers on affected versions are not vulnerable.
However, some vulnerability scanners may generate false positive reports when run against BIG-IP virtual servers that are configured to use ciphers supported by the NATIVE SSL stack. This includes all ciphers enabled by the default cipher string.

Client-side impact for F5 products

The client-side components are vulnerable in the event that an attacker is able to launch an attack from a server to an affected client component. BIG-IP 11.5.1 and earlier contains the following vulnerable server-side code :

COMPAT SSL ciphers Virtual servers using a ServerSSL profile configured to use ciphers from the COMPAT SSL stack are vulnerable to this attack. The BIG-IP ServerSSL profile enables the BIG-IP system to initiate secure connections to SSL servers using the SSL protocol. In this context, the BIG-IP system functions as an SSL client, initiating outbound SSL traffic.

Host-initiated SSL connections An example here is when you use openssl s_client or configure a DTLS monitor to initiate SSL connections.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K15356.

See Also

https://support.f5.com/csp/article/K15356

Plugin Details

Severity: High

ID: 78180

File Name: f5_bigip_SOL15356.nasl

Version: 1.13

Type: local

Published: 2014/10/10

Updated: 2019/05/09

Dependencies: 76940

Configuration: Enable paranoid mode

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_global_traffic_manager, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/a:f5:big-ip_wan_optimization_manager, cpe:/a:f5:big-ip_webaccelerator, cpe:/h:f5:big-ip, cpe:/h:f5:big-ip_protocol_security_manager

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2014/08/13

Vulnerability Publication Date: 2014/06/05

Exploitable With

Core Impact

Reference Information

CVE: CVE-2014-0195

BID: 67900