Vulnerability Recommended Actions
BIG-IP
The following section describes affected BIG-IP components and how to protect those components from potential exploit.
Mitigating the exploit for the MGMT interface and the Configuration utility
The BIG-IP Configuration utility is vulnerable. To mitigate potential exploit, F5 recommends that you limit network access to the management (MGMT) interface to a secure, management-only network.
You can change the default cipher string for the BIG-IP Configuration utility. For example, to change the cipher string for the Configuration utility to use the RC4-SHA cipher, refer to the following commands:
BIG-IP 10.x - 11.x
tmsh modify /sys httpd ssl-ciphersuite RC4-SHA
Mitigating the exploit for SSL/TLS virtual servers
To mitigate potential exploit for SSL/TLS virtual servers, you can configure the SSL profile to prefer non-CBC ciphers. To do so, perform the following steps:
Impact of workaround: Changing the ciphers supported by the SSL profile may result in clients being unable to establish an SSL connection.
For BIG-IP 11.5.0 and later, configure the cipher string to prefer non-CBC ciphers. For example, the following string configures the SSL profile to prefer AES-GCM ciphers first, then RC4-SHA ciphers, before resorting to the DEFAULT string, which contains CBC ciphers:
AES-GCM:RC4-SHA:DEFAULT
For BIG-IP 11.4.0 and earlier, the following cipher string configures the SSL profile to prefer RC4-SHA before resorting to the DEFAULT string, which contains CBC ciphers:
RC4-SHA:DEFAULT
FirePass
To protect the FirePass Controller Administrator interface from potential exploit, perform the following procedure:
Changing the cipher string for the FirePass Administrator interface
Impact of procedure: Changing the cipher string may prevent some connections to the Administrator interface.
Enterprise Manager
To protect the Enterprise Manager Configuration utility from potential exploit, F5 recommends that you limit network access to the MGMTÂ interface to a secure, management-only network.
You can also change the default cipher string for the Enterprise Manager Configuration utility. For example, to change the cipher string for the Configuration utility to use the RC4-SHA cipher, refer to the following commands:
Enterprise Manager 3.x
tmsh modify /sys httpd ssl-ciphersuite RC4-SHA
Enterprise Manager 2.x
bigpipe httpd sslciphersuite RC4-SHA
ARX
The following section describes how to protect the ARX Manager GUI from potential exploit (6.2.0 and later).
Changing the ARX Manager GUI cipher string (6.2.0 and later)
Impact of procedure: Changing the cipher string may prevent some connections to the ARX Manager GUI.
enable
config
ssl
cipher ssl-rsa-with-rc4-128-shaÂ
end
Acknowledgements
F5 would like to acknowledge Nadhem J. AlFardan and Kenneth G. Paterson of the Information Security Group Royal Holloway, University of London for bringing this issue to our attention, and for following the highest standards of responsible disclosure.
Supplemental Information
Note: This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.
support.f5.com/kb/en-us/solutions/public/10000/300/sol10322.html
support.f5.com/kb/en-us/solutions/public/12000/700/sol12766.html
support.f5.com/kb/en-us/solutions/public/13000/400/sol13405.html
support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/6000/700/sol6768.html
support.f5.com/kb/en-us/solutions/public/8000/800/sol8802.html
support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html
support.f5.comwww.isg.rhul.ac.uk/tls/