CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
81.3%
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker’s direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from F5 Networks BIG-IP Solution K43570545.
#
# The text description of this plugin is (C) F5 Networks.
#
include("compat.inc");
if (description)
{
script_id(96985);
script_version("3.14");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/09");
script_cve_id("CVE-2016-7055");
script_name(english:"F5 Networks BIG-IP : OpenSSL vulnerability (K43570545)");
script_summary(english:"Checks the BIG-IP version.");
script_set_attribute(
attribute:"synopsis",
value:"The remote device is missing a vendor-supplied security patch."
);
script_set_attribute(
attribute:"description",
value:
"There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that
handles input lengths divisible by, but longer than 256 bits. Analysis
suggests that attacks against RSA, DSA and DH private keys are
impossible. This is because the subroutine in question is not used in
operations with the private key itself and an input of the attacker's
direct choice. Otherwise the bug can manifest itself as transient
authentication and key negotiation failures or reproducible erroneous
outcome of public-key operations with specially crafted input. Among
EC algorithms only Brainpool P-512 curves are affected and one
presumably can attack ECDH key negotiation."
);
script_set_attribute(
attribute:"see_also",
value:"https://support.f5.com/csp/article/K43570545"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.openssl.org/news/secadv/20161110.txt"
);
script_set_attribute(
attribute:"solution",
value:
"Upgrade to one of the non-vulnerable versions listed in the F5
Solution K43570545."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/04");
script_set_attribute(attribute:"patch_publication_date", value:"2017/02/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/06");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"F5 Networks Local Security Checks");
script_dependencies("f5_bigip_detect.nbin");
script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version");
exit(0);
}
include("f5_func.inc");
if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
version = get_kb_item("Host/BIG-IP/version");
if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");
sol = "K43570545";
vmatrix = make_array();
# AFM
vmatrix["AFM"] = make_array();
vmatrix["AFM"]["affected" ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["AFM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3");
# AM
vmatrix["AM"] = make_array();
vmatrix["AM"]["affected" ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["AM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3");
# APM
vmatrix["APM"] = make_array();
vmatrix["APM"]["affected" ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1","14.0.0-14.1.0","13.0.0-13.1.0","12.0.0-12.1.3","11.2.1-11.6.3");
vmatrix["APM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");
# ASM
vmatrix["ASM"] = make_array();
vmatrix["ASM"]["affected" ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["ASM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");
# AVR
vmatrix["AVR"] = make_array();
vmatrix["AVR"]["affected" ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["AVR"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");
# LC
vmatrix["LC"] = make_array();
vmatrix["LC"]["affected" ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["LC"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");
# LTM
vmatrix["LTM"] = make_array();
vmatrix["LTM"]["affected" ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["LTM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");
# PEM
vmatrix["PEM"] = make_array();
vmatrix["PEM"]["affected" ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["PEM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3");
if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
{
if (report_verbosity > 0) security_note(port:0, extra:bigip_report_get());
else security_note(0);
exit(0);
}
else
{
tested = bigip_get_tested_modules();
audit_extra = "For BIG-IP module(s) " + tested + ",";
if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
else audit(AUDIT_HOST_NOT, "running any of the affected modules");
}
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
81.3%