Attacker Value
Moderate
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2020-5929

Disclosure Date: September 25, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In versions 13.0.0-13.0.0 HF2, 12.1.0-12.1.2 HF1, and 11.6.1-11.6.2, BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a Virtual Server configured with a Client SSL profile, and using Anonymous (ADH) or Ephemeral (DHE) Diffie-Hellman key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/TLS Handshakes that may result with a PMS (Pre-Master Secret) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Similar error messages when PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability.

Add Assessment

4
Ratings
Technical Analysis

BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a virtual server configured with a Client SSL profile, and using Anonymous Diffie-Hellman (ADH) or Ephemeral Diffie-Hellman (DHE) key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/Transport Layer Security (TLS) handshakes that may result with a pre-master secret (PMS) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Differences in processing time when the PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability.

Thats a lot to take in …
A recent research study identified a timing attack against TLS that could be used to recover a shared secret that could then be used to recover plaintext of previously captured data.

In order to be successful outside of a testing environment, an attacker would need to intercept encrypted traffic and then send specially crafted TLS packets to a vulnerable server in the hopes of recovering enough data to decrypt the previously intercepted traffic.

Conditions

This vulnerability affects BIG-IP systems with virtual servers associated with a Client SSL profile under the following conditions:

  • You are using ADH or DHE key exchange in the Client SSL profile.

    • Note: DHE is enabled by default in the DEFAULT cipher suite. ADH is not available in the DEFAULT cipher suite.
  • You have not enabled the Single Diffie-Hellman use option—or Single DH use option—in the Client SSL profile.

    • Note: The Single DH use option is not enabled by default in the Client SSL profile options list.
  • Your BIG-IP platform has a Cavium Nitrox SSL hardware acceleration card installed. Platforms with this installed include:

    • BIG-IP i11400-DS, i11600-DS, i11800-DS
    • BIG-IP 1600, 3600, 3900, 5000, 6900, 7000, 8900, 10000, 11000, 12000
    • VIPRION 2100, 2150, 2250, 4100, 4200, 4300

Mitigations

F5 have released a set of mitigations that will prevent this attack on vulnerable server until they can be patched.

  • Log in to the Configuration utility.
  • Go to Local Traffic > Profiles > SSL > Client.
  • Select the Client SSL profile.
  • In the Configuration list, select Advanced.
  • In the Options section, in the list, select Options List.
  • In the Options List section, under Available Options, select Single DH use, and then select Enable.
  • The Single DH Use option displays under Enabled Options.
  • In Ciphers, in the text box, enter a cipher string that disables ADH or DHE, such as the following example:
    !DHE:!ADH:ALL
  • In Unclean Shutdown, select Enabled.
  • At the bottom of the page, select Update.
CVSS V3 Severity and Metrics
Base Score:
5.9 Medium
Impact Score:
3.6
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • f5

Products

  • big-ip access policy manager,
  • big-ip access policy manager 11.6.2,
  • big-ip access policy manager 12.1.2,
  • big-ip access policy manager 13.0.0,
  • big-ip advanced firewall manager,
  • big-ip advanced firewall manager 11.6.2,
  • big-ip advanced firewall manager 12.1.2,
  • big-ip advanced firewall manager 13.0.0,
  • big-ip advanced web application firewall,
  • big-ip advanced web application firewall 11.6.2,
  • big-ip advanced web application firewall 12.1.2,
  • big-ip advanced web application firewall 13.0.0,
  • big-ip analytics,
  • big-ip analytics 11.6.2,
  • big-ip analytics 12.1.2,
  • big-ip analytics 13.0.0,
  • big-ip application acceleration manager,
  • big-ip application acceleration manager 11.6.2,
  • big-ip application acceleration manager 12.1.2,
  • big-ip application acceleration manager 13.0.0,
  • big-ip application security manager,
  • big-ip application security manager 11.6.2,
  • big-ip application security manager 12.1.2,
  • big-ip application security manager 13.0.0,
  • big-ip ddos hybrid defender,
  • big-ip ddos hybrid defender 11.6.2,
  • big-ip ddos hybrid defender 12.1.2,
  • big-ip ddos hybrid defender 13.0.0,
  • big-ip domain name system,
  • big-ip domain name system 11.6.2,
  • big-ip domain name system 12.1.2,
  • big-ip domain name system 13.0.0,
  • big-ip fraud protection service,
  • big-ip fraud protection service 11.6.2,
  • big-ip fraud protection service 12.1.2,
  • big-ip fraud protection service 13.0.0,
  • big-ip global traffic manager,
  • big-ip global traffic manager 11.6.2,
  • big-ip global traffic manager 12.1.2,
  • big-ip global traffic manager 13.0.0,
  • big-ip link controller,
  • big-ip link controller 11.6.2,
  • big-ip link controller 12.1.2,
  • big-ip link controller 13.0.0,
  • big-ip local traffic manager,
  • big-ip local traffic manager 11.6.2,
  • big-ip local traffic manager 12.1.2,
  • big-ip local traffic manager 13.0.0,
  • big-ip policy enforcement manager,
  • big-ip policy enforcement manager 11.6.2,
  • big-ip policy enforcement manager 12.1.2,
  • big-ip policy enforcement manager 13.0.0,
  • ssl orchestrator,
  • ssl orchestrator 11.6.2,
  • ssl orchestrator 12.1.2,
  • ssl orchestrator 13.0.0

Additional Info

Technical Analysis