K72752002 : BIG-IP SSL/TLS CRL vulnerability CVE-2020-5913

Security Advisory Description

The BIG-IP Client or Server SSL profile ignores revoked certificates, even when a valid CRL is present. This impacts SSL/TLS connections and may result in a man-in-the-middle attack on the connections. (CVE-2020-5913)

Impact

The BIG-IP system does not enforce Transport Layer Security (TLS) certificate chain restrictions as expected. As a result, SSL/TLS connections are encrypted but may be vulnerable to man-in-the-middle attacks. This vulnerability affects systems that have the following settings in their configuration and connections that use a BIG-IP Client SSL or Server SSL profile:

• A Certificate Revocation List (CRL) enabled
• A CRL with certificates in the Certificate Authority (CA) chain that are revoked, even though they have not expired
• An OCSP responder object configured in a BIG-IP Client SSL or Server SSL profile

Beginning in BIG-IP 14.x, HTTPS monitors that have in-Traffic Management Microkernel (in-TMM) monitoring enabled and use Server SSL profiles are also affected by this vulnerability. For more information on in-TMM monitoring, refer to K11323537: Configuring In-TMM monitoring.