F5 Networks BIG-IP : SLOTH: TLS 1.2 handshake vulnerability (K02201365) (SLOTH)
Medium Nessus Plugin ID 88703
SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionA flaw was found in the way TLS 1.2 uses RSA+MD5 signatures with Client Authentication and ServerKeyExchange messages during a TLS 1.2 handshakes. An attacker with a Man-in-the-Middle network position and the ability to force / observe the use of RSA+MD5 during a TLS Handshake, may be able to successfully generate a hash collision and impersonate a TLS client or server. The vulnerability of CVE-2015-7575 is relevant to cryptography software which supports TLS 1.2 only as earlier versions of TLS used different hash functionality in those protocols. (CVE-2015-7575)
SolutionUpgrade to one of the non-vulnerable versions listed in the F5 Solution K02201365.