2 IPsec is vulnerable only in phase 1 IKE (racoon), if configured to use AES-CBC.
Vulnerability Recommended Actions
If you are running a version listed in theVersions known to be vulnerablecolumn, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerablecolumn. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
BIG-IP
To mitigate this vulnerability, you should consider the following recommendations:
If SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles:
To mitigate this vulnerability for IPsec implementations, you should restrict access to the IPsec tunnel to minimize exposure, and/or consider using an IKE Phase 1 Algorithm other than AES to avoid the vulnerable code.
Impact of workaround: F5 recommends testing any such changes in an appropriate environment.
To minimize risk, access to the management interface should be restricted to minimize exposure to control-plane daemons.
To confirm support for AES-NI, on any running platform, perform the following procedure:
cat /proc/cpuinfo | grep ‘^flags’ | grep aes
If nothing is returned, the CPU does not support AES-NI, and is therefore not vulnerable.
BIG-IQ/Enterprise Manager
To minimize risk, access to the management interface should be restricted to minimize exposure to control-plane daemons.
ARX
To mitigate this vulnerability, you should permit access to the ARX GUI only over a secure network.
LineRate
To mitigate this vulnerability, you can disable AES-NI processor support in the BIOS or hypervisor.
Impact of workaround: System performance will be negatively impacted by disabling this feature.
Supplemental Information
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html
support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html