Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable**column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.
F5 recommends that you allow SSH access to the administrative port only from a secure network.
BIG-IP / BIG-IQ mitigation
To mitigate this vulnerability in the BIG-IP system and the BIG-IQ system, you can enable random early drop by way of theMaxStartupsoption of the**sshd **configuration on the BIG-IP system. The default configuration allows for 10 connections to be in an unauthenticated state. In this situation, a TCP connection has been established, but SSH is waiting for login credentials. This type of denial-of-service (DoS) attack ties up network services and prevents others from logging in using SSH.
Alternatively, you can enable random early drop by specifying the three colon-separated valuesstart:rate:full. After the number of unauthenticated connection reaches the value specified bystart,sshd will begin to refuse new connections at a percentage specified byrate. The proportional rate of refused connections then increases linearly as the limit specified byfull is approached, until 100% is reached. At that point, all new attempts to connect are refused until the unauthenticated SSH session TCP connections time out.
For example, if MaxStartups were configured with the value10:30:60, then after10connections pending authentication,sshd would begin to drop30%of the new connections. If unauthenticated connections increase to60, then100% of the new connections are dropped until the backlog subsides.
To enable random early drop, perform the following procedure:
Impact of workaround: Increasing the number of allowed connections in an unauthenticated state will increase the amount of memory needed to maintain those TCP connections. Use care when increasing these numbers beyond the values quoted in the following procedure.
tmsh
modify /sys sshd include โMaxStartups start:rate:fullโ
For example, set MaxStartups to10:30:60 by typing the following command:
modify /sys sshd include โMaxStartups 10:30:60โ
save /sys config
restart /sys service sshd
Supplemental Information
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/10000/000/sol10025.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/6000/800/sol6845.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html