Attacker Value
Moderate
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2020-5929

Disclosure Date: September 25, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In versions 13.0.0-13.0.0 HF2, 12.1.0-12.1.2 HF1, and 11.6.1-11.6.2, BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a Virtual Server configured with a Client SSL profile, and using Anonymous (ADH) or Ephemeral (DHE) Diffie-Hellman key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/TLS Handshakes that may result with a PMS (Pre-Master Secret) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Similar error messages when PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability.

Add Assessment

4
Ratings
Technical Analysis

BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a virtual server configured with a Client SSL profile, and using Anonymous Diffie-Hellman (ADH) or Ephemeral Diffie-Hellman (DHE) key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/Transport Layer Security (TLS) handshakes that may result with a pre-master secret (PMS) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Differences in processing time when the PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability.

Thats a lot to take in …
A recent research study identified a timing attack against TLS that could be used to recover a shared secret that could then be used to recover plaintext of previously captured data.

In order to be successful outside of a testing environment, an attacker would need to intercept encrypted traffic and then send specially crafted TLS packets to a vulnerable server in the hopes of recovering enough data to decrypt the previously intercepted traffic.

Conditions

This vulnerability affects BIG-IP systems with virtual servers associated with a Client SSL profile under the following conditions:

  • You are using ADH or DHE key exchange in the Client SSL profile.

    • Note: DHE is enabled by default in the DEFAULT cipher suite. ADH is not available in the DEFAULT cipher suite.
  • You have not enabled the Single Diffie-Hellman use option—or Single DH use option—in the Client SSL profile.

    • Note: The Single DH use option is not enabled by default in the Client SSL profile options list.
  • Your BIG-IP platform has a Cavium Nitrox SSL hardware acceleration card installed. Platforms with this installed include:

    • BIG-IP i11400-DS, i11600-DS, i11800-DS
    • BIG-IP 1600, 3600, 3900, 5000, 6900, 7000, 8900, 10000, 11000, 12000
    • VIPRION 2100, 2150, 2250, 4100, 4200, 4300

Mitigations

F5 have released a set of mitigations that will prevent this attack on vulnerable server until they can be patched.

  • Log in to the Configuration utility.
  • Go to Local Traffic > Profiles > SSL > Client.
  • Select the Client SSL profile.
  • In the Configuration list, select Advanced.
  • In the Options section, in the list, select Options List.
  • In the Options List section, under Available Options, select Single DH use, and then select Enable.
  • The Single DH Use option displays under Enabled Options.
  • In Ciphers, in the text box, enter a cipher string that disables ADH or DHE, such as the following example:
    !DHE:!ADH:ALL
  • In Unclean Shutdown, select Enabled.
  • At the bottom of the page, select Update.

General Information

Products

  • BIG-IP

Additional Info

Technical Analysis