Moderate
CVE-2020-5929
CVE-2020-5929
Description
In versions 13.0.0-13.0.0 HF2, 12.1.0-12.1.2 HF1, and 11.6.1-11.6.2, BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a Virtual Server configured with a Client SSL profile, and using Anonymous (ADH) or Ephemeral (DHE) Diffie-Hellman key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/TLS Handshakes that may result with a PMS (Pre-Master Secret) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Similar error messages when PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability.
Add Assessment
Technical Analysis
BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a virtual server configured with a Client SSL profile, and using Anonymous Diffie-Hellman (ADH) or Ephemeral Diffie-Hellman (DHE) key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/Transport Layer Security (TLS) handshakes that may result with a pre-master secret (PMS) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Differences in processing time when the PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability.
Thats a lot to take in …
A recent research study identified a timing attack against TLS that could be used to recover a shared secret that could then be used to recover plaintext of previously captured data.
In order to be successful outside of a testing environment, an attacker would need to intercept encrypted traffic and then send specially crafted TLS packets to a vulnerable server in the hopes of recovering enough data to decrypt the previously intercepted traffic.
Conditions
This vulnerability affects BIG-IP systems with virtual servers associated with a Client SSL profile under the following conditions:
You are using ADH or DHE key exchange in the Client SSL profile.
- Note: DHE is enabled by default in the DEFAULT cipher suite. ADH is not available in the DEFAULT cipher suite.
- Note: DHE is enabled by default in the DEFAULT cipher suite. ADH is not available in the DEFAULT cipher suite.
You have not enabled the Single Diffie-Hellman use option—or Single DH use option—in the Client SSL profile.
- Note: The Single DH use option is not enabled by default in the Client SSL profile options list.
- Note: The Single DH use option is not enabled by default in the Client SSL profile options list.
Your BIG-IP platform has a Cavium Nitrox SSL hardware acceleration card installed. Platforms with this installed include:
- BIG-IP i11400-DS, i11600-DS, i11800-DS
- BIG-IP 1600, 3600, 3900, 5000, 6900, 7000, 8900, 10000, 11000, 12000
- VIPRION 2100, 2150, 2250, 4100, 4200, 4300
- BIG-IP i11400-DS, i11600-DS, i11800-DS
Mitigations
F5 have released a set of mitigations that will prevent this attack on vulnerable server until they can be patched.
- Log in to the Configuration utility.
- Go to Local Traffic > Profiles > SSL > Client.
- Select the Client SSL profile.
- In the Configuration list, select Advanced.
- In the Options section, in the list, select Options List.
- In the Options List section, under Available Options, select Single DH use, and then select Enable.
- The Single DH Use option displays under Enabled Options.
- In Ciphers, in the text box, enter a cipher string that disables ADH or DHE, such as the following example:
!DHE:!ADH:ALL
- In Unclean Shutdown, select Enabled.
- At the bottom of the page, select Update.
CVSS V3 Severity and Metrics
General Information
Vendors
- f5
Products
- big-ip access policy manager,
- big-ip access policy manager 11.6.2,
- big-ip access policy manager 12.1.2,
- big-ip access policy manager 13.0.0,
- big-ip advanced firewall manager,
- big-ip advanced firewall manager 11.6.2,
- big-ip advanced firewall manager 12.1.2,
- big-ip advanced firewall manager 13.0.0,
- big-ip advanced web application firewall,
- big-ip advanced web application firewall 11.6.2,
- big-ip advanced web application firewall 12.1.2,
- big-ip advanced web application firewall 13.0.0,
- big-ip analytics,
- big-ip analytics 11.6.2,
- big-ip analytics 12.1.2,
- big-ip analytics 13.0.0,
- big-ip application acceleration manager,
- big-ip application acceleration manager 11.6.2,
- big-ip application acceleration manager 12.1.2,
- big-ip application acceleration manager 13.0.0,
- big-ip application security manager,
- big-ip application security manager 11.6.2,
- big-ip application security manager 12.1.2,
- big-ip application security manager 13.0.0,
- big-ip ddos hybrid defender,
- big-ip ddos hybrid defender 11.6.2,
- big-ip ddos hybrid defender 12.1.2,
- big-ip ddos hybrid defender 13.0.0,
- big-ip domain name system,
- big-ip domain name system 11.6.2,
- big-ip domain name system 12.1.2,
- big-ip domain name system 13.0.0,
- big-ip fraud protection service,
- big-ip fraud protection service 11.6.2,
- big-ip fraud protection service 12.1.2,
- big-ip fraud protection service 13.0.0,
- big-ip global traffic manager,
- big-ip global traffic manager 11.6.2,
- big-ip global traffic manager 12.1.2,
- big-ip global traffic manager 13.0.0,
- big-ip link controller,
- big-ip link controller 11.6.2,
- big-ip link controller 12.1.2,
- big-ip link controller 13.0.0,
- big-ip local traffic manager,
- big-ip local traffic manager 11.6.2,
- big-ip local traffic manager 12.1.2,
- big-ip local traffic manager 13.0.0,
- big-ip policy enforcement manager,
- big-ip policy enforcement manager 11.6.2,
- big-ip policy enforcement manager 12.1.2,
- big-ip policy enforcement manager 13.0.0,
- ssl orchestrator,
- ssl orchestrator 11.6.2,
- ssl orchestrator 12.1.2,
- ssl orchestrator 13.0.0
References
Miscellaneous
