In versions 13.0.0-13.0.0 HF2, 12.1.0-12.1.2 HF1, and 11.6.1-11.6.2, BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a Virtual Server configured with a Client SSL profile, and using Anonymous (ADH) or Ephemeral (DHE) Diffie-Hellman key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/TLS Handshakes that may result with a PMS (Pre-Master Secret) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Similar error messages when PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability.
Recent assessments:
kevthehermit at September 14, 2020 4:38pm UTC reported:
BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a virtual server configured with a Client SSL profile, and using Anonymous Diffie-Hellman (ADH) or Ephemeral Diffie-Hellman (DHE) key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/Transport Layer Security (TLS) handshakes that may result with a pre-master secret (PMS) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Differences in processing time when the PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability.
Thats a lot to take in β¦
A recent research study identified a timing attack against TLS that could be used to recover a shared secret that could then be used to recover plaintext of previously captured data.
In order to be successful outside of a testing environment, an attacker would need to intercept encrypted traffic and then send specially crafted TLS packets to a vulnerable server in the hopes of recovering enough data to decrypt the previously intercepted traffic.
This vulnerability affects BIG-IP systems with virtual servers associated with a Client SSL profile under the following conditions:
You are using ADH or DHE key exchange in the Client SSL profile.
You have not enabled the Single Diffie-Hellman use optionβor Single DH use optionβin the Client SSL profile.
Your BIG-IP platform has a Cavium Nitrox SSL hardware acceleration card installed. Platforms with this installed include:
BIG-IP i11400-DS, i11600-DS, i11800-DS
BIG-IP 1600, 3600, 3900, 5000, 6900, 7000, 8900, 10000, 11000, 12000
VIPRION 2100, 2150, 2250, 4100, 4200, 4300
F5 have released a set of mitigations that will prevent this attack on vulnerable server until they can be patched.
Log in to the Configuration utility.
Go to Local Traffic > Profiles > SSL > Client.
Select the Client SSL profile.
In the Configuration list, select Advanced.
In the Options section, in the list, select Options List.
In the Options List section, under Available Options, select Single DH use, and then select Enable.
The Single DH Use option displays under Enabled Options.
In Ciphers, in the text box, enter a cipher string that disables ADH or DHE, such as the following example:
!DHE:!ADH:ALL
In Unclean Shutdown, select Enabled.
At the bottom of the page, select Update.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 1