F5SOL10133477SOL10133477 - BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736
0.002 Low
EPSS
Percentile
53.3%
Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
To mitigate this vulnerability, you can disable the anonymous IPsec IKE peer listener (if not in use). However, if you want to use the anonymous listener, you should ensure that the Verify Certificate option is enabled, or configure the Authentication Method option to use the Preshared Key method if certificates are not in use. To do so, perform the following procedures:
Disabling the anonymous IPsec IKE peer listener
Enabling the Verify Certificate option for the anonymous IPsec IKE peer listener
Configuring the Authentication Method option to use the Preshared Key method for the anonymous IPsec IKE peer listener
Disabling the anonymous IPsec IKE peer listener
Impact of action: The BIG-IP system will no longer listen for IPsec IKE peers unless another peer listener has been configured.
- Log in to the Configuration utility.
- Navigate to Network >**IPsec **>IKE Peers.
- Select the anonymous IKE peer.
- For the State option, selectDisabled.
- Click Update.
Enabling the Verify Certificate option for the anonymous IPsec IKE peer listener
Impact of action: IPsec IKE peers will be required to provide a valid certificate or negotiation will fail.
- Log in to the Configuration utility.
- Navigate to Network> IPsec >IKE Peers.
- Select the anonymous IKE peer.
- In the IKE Phase 1 Credentialssection, select the Verify Peer Certificate check box.
Enabling the Verify Peer Certificate option allows you to configure the following:
* Trusted Certificate Authorities
* Certificate Revocation List (CRL)
* Peer Certificate
- Click Update.
Configuring the Authentication Method option to use the Preshared Key method for the anonymous IPsec IKE peer listener
Impact of action: IPsec IKE peers will be required to provide the specified preshared key or negotiation will fail.
- Log in to the Configuration utility.
- Navigate to Network>IPsec >IKE Peers.
- Select the anonymous IKE peer.
- In the IKE Phase 1 Credentialssection, select Preshared Key for the Authentication Method option.
Selecting the Preshared Key method provides following fields:
* **Preshared Key** ***Verify Preshared Key** 5. In the**Preshared Key** field, enter the string that IKE peers will share for authenticating each other.
- In the Verify Preshared Key field, re-enter the string that IKE peers will share for authenticating each other.
- Click Update.
Supplemental Information
- SOL9970: Subscribing to email notifications regarding F5 products
- SOL9957: Creating a custom RSS feed to view new and updated documents
- SOL4602: Overview of the F5 security vulnerability response policy
- SOL4918: Overview of the F5 critical issue hotfix policy
- SOL167: Downloading software and firmware from F5
- SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)
References
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html
support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html
Related
