Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5 security vulnerability response policy.F5 products and versions that have been evaluated for this Security Advisory
Product | Affected | Not Affected |
---|---|---|
BIG-IP LTM | 9.3.0 - 9.3.1 | |
9.4.0 - 9.4.5 | ||
9.6.0 - 9.6.1 | 9.3.1-HF3 and later | |
9.4.5-HF2 and later | ||
9.4.6 - 9.4.8 | ||
9.6.1-HF2 and later | ||
10.x | ||
11.x | ||
BIG-IP GTM | 9.3.0 - 9.3.1 | |
9.4.0 - 9.4.5 | 9.3.1-HF3 and later | |
9.4.5-HF2 and later | ||
9.4.6 - 9.4.8 | ||
10.x | ||
11.x | ||
BIG-IP ASM | 9.3.0 - 9.3.1 | |
9.4.0 - 9.4.5 | 9.3.1-HF3 and later | |
9.4.5-HF2 and later | ||
9.4.6 - 9.4.8 | ||
10.x | ||
11.x | ||
BIG-IP Link Controller | 9.3.0 - 9.3.1 | |
9.4.0 - 9.4.5 | 9.3.1-HF3 and later | |
9.4.5-HF2 and later | ||
9.4.6 - 9.4.8 | ||
10.x | ||
11.x | ||
BIG-IP WebAccelerator | 9.4.0 - 9.4.5 | 9.4.5-HF2 and later |
9.4.6 - 9.4.8 | ||
10.x | ||
11.x | ||
BIG-IP PSM | 9.4.5 | 9.4.5-HF2 and later |
9.4.6 - 9.4.8 | ||
10.x | ||
11.x | ||
BIG-IP WAN Optimization | None | 10.x |
11.x | ||
BIG-IP APM | None | 10.x |
11.x | ||
BIG-IP Edge Gateway | None | 10.x |
11.x | ||
BIG-IP Analytics | None | 11.x |
BIG-IP AFM | None | 11.x |
BIG-IP PEM | None | 11.x |
FirePass | 5.5.0 - 5.5.2 | |
6.0.0 - 6.0.2 | 6.0.3 | |
6.1.x | ||
7.x | ||
Enterprise Manager | 1.2.0 - 1.6.0 | 1.7.0 - 1.8.0 |
2.x | ||
3.x | ||
ARX | None | 2.x |
3.x | ||
4.x | ||
5.x | ||
6.x | ||
SNMPv3 HMAC verification relies on the client to specify the HMAC length. This flexibility allows remote attackers to bypass SNMP authentication by specifying a length value of 1, which only checks the first byte. | ||
Information about this advisory is available at the following locations: | ||
<https://vulners.com/cve/CVE-2008-0960> | ||
<http://www.kb.cert.org/vuls/id/878044> | ||
F5 Product Development tracked this issue as CR99838 for BIG-IP LTM, GTM, ASM, PSM, Link Controller, and WebAccelerator and it was fixed in BIG-IP 9.4.6 and 10.0.0. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, PSM, Link Controller, or WebAccelerator release notes. | ||
This issue was also tracked as CR99838 for Enterprise Manager, and it was fixed in Enterprise Manager 1.7.0. For information about upgrading, refer to the Enterprise Manager release notes. | ||
F5 Product Development tracked this issue as CR100973 for FirePass and it was fixed in FirePass 6.0.3. For information about upgrading, refer to the FirePass release notes. | ||
This issue still exists in the FirePass 5.x branch. | ||
Additionally, this issue was fixed in Hotfix-BIG-IP-9.3.1-HF3 issued for BIG-IP 9.3.1, Hotfix-BIG-IP-9.4.5-HF2 issued for BIG-IP 9.4.5, Hotfix-BIG-IP-9.6.1-HF2 issued for BIG-IP 9.6.1, and FirePass HF-100973 issued for FirePass 6.0.2. You may download these hotfixes or later versions of the hotfixes from the F5 Downloads site. | ||
To view a list of the latest available hotfixes, refer to K9502: BIG-IP hotfix matrix. | ||
For information about the F5 hotfix policy, refer to K4918: Overview of F5 critical issue hotfix policy. | ||
For information about how to manage F5 product hotfixes, refer to K6845: Managing F5 product hotfixes. | ||
Obtaining and installing patches | ||
You can download patches from the F5 Downloads site for the following products and versions: | ||
Product | Version | Hotfix |
— | — | — |
FirePass | 5.5.0 | hotfix-100973 |
FirePass | 5.5.1 | hotfix-100973 |
FirePass | 5.5.2 | hotfix-100973 |
FirePass | 6.0.1 | hotfix-100973 |
FirePass | 6.0.2 | hotfix-100973 |
BIG-IP SAM | 8.0.0 | Secure Access Manager 8.0.0 HF1 |
Workaround | ||
You can work around this issue for FirePass by disabling the SNMP agent. To disable the SNMP agent, perform the following procedure: |
If you are running FirePass 5.x, clear the Run SNMP agent on portcheck box.
5. Click Submit.