A crypto vulnerability affecting some F5 Networks products can be exploited by a remote attacker for recovering encrypted data and launching man-in-the-middle (MitM) attacks, the company told customers on Friday.
The impacted products are part of F5’s BIG-IP application delivery platform, including security, traffic management and performance services such as LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, and PEM. The flaw also affects the F5 WebSafe anti-fraud solution.
According to F5, the vulnerability exposes virtual servers configured with a Client SSL profile and RSA key exchange enabled to adaptive chosen-ciphertext attacks, also known as Bleichenbacher attacks. Launching an attack against a TLS session established using an RSA key exchange allows a remote hacker to recover plaintext data and launch MitM attacks, even if they don’t have access to the server’s private key.
Nick Sullivan, cryptography expert at Cloudflare, pointed out that the vulnerability is similar to the notorious DROWN bug, which allows an attacker to decrypt TLS communications when SSLv2 is used. However, he said the F5 bug is worse as the SSLv2 requirement is eliminated.
“Note that you don’t need to have the private key to decrypt non-FS [forward secrecy] TLS sessions. You only need to find a server using the key with a padding oracle,” Sullivan said. “We should all be grateful for the people in the industry who successfully pushed for forward secrecy to be the default in HTTPS.”
The vulnerability is tracked as CVE-2017-6168 and it has been assigned a CVSS score of 9.1, which puts it in the critical severity category.
F5 has released updates that patch the security hole for each of the affected products. The company has also provided advice for partial or full mitigation, and pointed out that an attack is not easy to conduct.
“Exploiting this vulnerability to perform plaintext recovery of encrypted messages will, in most practical cases, allow an attacker to read the plaintext only after the session has completed,” F5 said in its advisory.
“Exploiting this vulnerability to conduct a MiTM attack requires the attacker to complete the initial attack, which may require millions of server requests, during the handshake phase of the targeted session within the window of the configured handshake timeout,” the company added. “This attack may be conducted against any TLS session using RSA signatures, but only if cipher suites using RSA key exchange are also enabled on the virtual server. The limited window of opportunity, limitations in bandwidth, and latency make this attack significantly more difficult to execute.”
The vendor said the highest risk is to virtual servers where the Generic Alert option, which is enabled by default, has been disabled. This is due to the fact that these systems report the specific handshake failure, which can be useful to the attacker, instead of a generic message.
The security hole was reported to the vendor by Tripwire’s Craig Young, researcher Hanno Böck, and Juraj Somorovsky of Ruhr-Universität Bochum. It’s worth noting that Somorovsky was part of the team that first described the DROWN attack. Details of the vulnerability will be published at a later date.