A F5 BIG-IP virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server’s private key itself. (CVE-2017-6168)
Exploiting this vulnerability to perform plaintext recovery of encrypted messages will, in most practical cases, allow an attacker to read the plaintext only after the session has completed. Only TLS sessions established using RSA key exchange are vulnerable to this attack.
Exploiting this vulnerability to conduct a MiTM (Man In The Middle) attack requires the attacker to complete the initial attack, which may require millions of server requests, during the handshake phase of the targeted session within the window of the configured handshake timeout. This attack may be conducted against any TLS session using RSA signatures, but only if cipher suites using RSA key exchange are also enabled on the virtual server. The limited window of opportunity, limitations in bandwidth, and latency make this attack significantly more difficult to execute.
This vulnerability affects BIG-IP systems with the following configuration:-
A virtual server associated with a Client SSL profile with RSA key exchange enabled; RSA key exchange is enabled by default. Captured TLS sessions encrypted with ephemeral cipher suites (DHE or ECDHE) are not at risk for subsequent decryption due to this vulnerability.
Virtual servers configured with a Client SSL profile with the Generic Alert option disabled (enabled by default) are at higher risk because they report the specific handshake failure instead of a generic message.
Virtual servers configured with a Client SSL profile that has the Client Certificate option under the Client Authentication section set to require will limit the threat to attackers that are able to successfully authenticate first. Without client certificate authentication, this attack is unauthenticated and anonymous.
Virtual servers that have completely disabled RSA Key Exchange cipher suites within the Client SSL profile (for example, cipher string DEFAULT:!RSA) are NOT impacted by this vulnerability.
BIG-IP Configuration utility, iControl services, big3d collection agent, and Centralized Management Infrastructure (CMI) connections are NOT impacted by this vulnerability.
Captured traffic from sessions using Perfect Forward Secrecy (PFS) cipher suites (DHE or ECDHE) cannot be decrypted due to this vulnerability.
This vulnerability is not an RSA private key recovery attack and does not compromise the server’s private key.
F5 Product Development has assigned ID 693211 (BIG-IP) to this vulnerability.
If you are running a version listed in the Versions known to be vulnerable you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
F5 strongly recommends that you upgrade to a non-vulnerable version because it is the only full resolution of this issue.
Further details on this issue at https://support.f5.com/csp/article/K21905460