CVE-2020-5929

In versions 13.0.0-13.0.0 HF2, 12.1.0-12.1.2 HF1, and 11.6.1-11.6.2, BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a Virtual Server configured with a Client SSL profile, and using Anonymous (ADH) or Ephemeral (DHE) Diffie-Hellman key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/TLS Handshakes that may result with a PMS (Pre-Master Secret) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Similar error messages when PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability.

Recent assessments:

kevthehermit at September 14, 2020 4:38pm UTC reported:

BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a virtual server configured with a Client SSL profile, and using Anonymous Diffie-Hellman (ADH) or Ephemeral Diffie-Hellman (DHE) key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/Transport Layer Security (TLS) handshakes that may result with a pre-master secret (PMS) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Differences in processing time when the PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability.

Thats a lot to take in …
A recent research study identified a timing attack against TLS that could be used to recover a shared secret that could then be used to recover plaintext of previously captured data.

In order to be successful outside of a testing environment, an attacker would need to intercept encrypted traffic and then send specially crafted TLS packets to a vulnerable server in the hopes of recovering enough data to decrypt the previously intercepted traffic.

Conditions

This vulnerability affects BIG-IP systems with virtual servers associated with a Client SSL profile under the following conditions:

• You are using ADH or DHE key exchange in the Client SSL profile.

  • Note: DHE is enabled by default in the DEFAULT cipher suite. ADH is not available in the DEFAULT cipher suite.

• You have not enabled the Single Diffie-Hellman use option—or Single DH use option—in the Client SSL profile.

  • Note: The Single DH use option is not enabled by default in the Client SSL profile options list.

• Your BIG-IP platform has a Cavium Nitrox SSL hardware acceleration card installed. Platforms with this installed include:

  • BIG-IP i11400-DS, i11600-DS, i11800-DS

  • BIG-IP 1600, 3600, 3900, 5000, 6900, 7000, 8900, 10000, 11000, 12000

  • VIPRION 2100, 2150, 2250, 4100, 4200, 4300

Mitigations

F5 have released a set of mitigations that will prevent this attack on vulnerable server until they can be patched.

• Log in to the Configuration utility.

• Go to Local Traffic > Profiles > SSL > Client.

• Select the Client SSL profile.

• In the Configuration list, select Advanced.

• In the Options section, in the list, select Options List.

• In the Options List section, under Available Options, select Single DH use, and then select Enable.

• The Single DH Use option displays under Enabled Options.

• In Ciphers, in the text box, enter a cipher string that disables ADH or DHE, such as the following example:
  !DHE:!ADH:ALL

• In Unclean Shutdown, select Enabled.

• At the bottom of the page, select Update.

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 1