F5 Networks BIG-IP : OpenSSL vulnerability (K43570545)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from F5 Networks BIG-IP Solution K43570545.
#
# The text description of this plugin is (C) F5 Networks.
#

include("compat.inc");

if (description)
{
  script_id(96985);
  script_version("3.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/09");

  script_cve_id("CVE-2016-7055");

  script_name(english:"F5 Networks BIG-IP : OpenSSL vulnerability (K43570545)");
  script_summary(english:"Checks the BIG-IP version.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote device is missing a vendor-supplied security patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that
handles input lengths divisible by, but longer than 256 bits. Analysis
suggests that attacks against RSA, DSA and DH private keys are
impossible. This is because the subroutine in question is not used in
operations with the private key itself and an input of the attacker's
direct choice. Otherwise the bug can manifest itself as transient
authentication and key negotiation failures or reproducible erroneous
outcome of public-key operations with specially crafted input. Among
EC algorithms only Brainpool P-512 curves are affected and one
presumably can attack ECDH key negotiation."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://support.f5.com/csp/article/K43570545"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.openssl.org/news/secadv/20161110.txt"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade to one of the non-vulnerable versions listed in the F5
Solution K43570545."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/02/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"F5 Networks Local Security Checks");

  script_dependencies("f5_bigip_detect.nbin");
  script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version");

  exit(0);
}


include("f5_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
version = get_kb_item("Host/BIG-IP/version");
if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");

sol = "K43570545";
vmatrix = make_array();

# AFM
vmatrix["AFM"] = make_array();
vmatrix["AFM"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["AFM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3");

# AM
vmatrix["AM"] = make_array();
vmatrix["AM"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["AM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3");

# APM
vmatrix["APM"] = make_array();
vmatrix["APM"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1","14.0.0-14.1.0","13.0.0-13.1.0","12.0.0-12.1.3","11.2.1-11.6.3");
vmatrix["APM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");

# ASM
vmatrix["ASM"] = make_array();
vmatrix["ASM"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["ASM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");

# AVR
vmatrix["AVR"] = make_array();
vmatrix["AVR"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["AVR"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");

# LC
vmatrix["LC"] = make_array();
vmatrix["LC"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["LC"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");

# LTM
vmatrix["LTM"] = make_array();
vmatrix["LTM"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["LTM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","11.2.1","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3","11.2.1");

# PEM
vmatrix["PEM"] = make_array();
vmatrix["PEM"]["affected"  ] = make_list("13.0.0","12.1.0-12.1.2","14.0.0-14.1.0.1","13.1.0-13.1.1");
vmatrix["PEM"]["unaffected"] = make_list("14.0.0-14.1.0","13.0.1-13.1.1","12.1.3-12.1.4","12.0.0","11.4.0-11.6.3","14.1.0.2","13.0.0-13.0.1","12.0.0-12.1.4","11.4.0-11.6.3");


if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
{
  if (report_verbosity > 0) security_note(port:0, extra:bigip_report_get());
  else security_note(0);
  exit(0);
}
else
{
  tested = bigip_get_tested_modules();
  audit_extra = "For BIG-IP module(s) " + tested + ",";
  if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
  else audit(AUDIT_HOST_NOT, "running any of the affected modules");
}