Forum Discussion
SolarJeans
Cirrus
CirrusBIGIP BIND for CVE-2022-38177
Hello Expert,
My BIGIP are vulnerable by CVE-2022-38177 and we would like to apply the work around as stated in KB
disable-algorithms "." {
"ECDSAP256SHA256";
"ECDSAP384SHA384";
};
From KB, it said all modules are impacted. So if I do not provision DNS module, how can I disable these algorithms in BIND?
If you don't have BIG-IP DNS provisioned then BIND should not be provisioned for end-user access.
If it is enabled then you can use the ZoneRunner interface to make the modification to the configuration. https://support.f5.com/csp/article/K6963
I believe DNS Cache/DNS Express don't rely on BIND (they are built into TMM) so should not be vulnerable to this issue.
Hi SolarJeans,
You are referring t this F5 article am I right
BIND vulnerability CVE-2022-38177 (f5.com)
there are 2 workaround told
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in column. If the Fixes introduced in column does not list a version for your branch, then no update candidate currently exists for that branch and F5 recommends upgrading to a version with the fix (refer to the table).
If the Fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix.
Upgrade the OS version to not Vulnerable
the one which you are talking is a mitigation but you never know if your OS version is still open and containing other vulnerabilities.
hence in order to decide can you please share your OS version .
SolarJeansHello F5_Design_Engineer
My version is 15.1.6 so there is no patch which can fix it.
And we would like to do mitigation in this situation, which is disabled the algorithms.
Hi SolarJeans ,
For 15.1.x OS version following ciphers will get impacted , see the last column for 256 or 384
when you will disable
disable-algorithms "." {
"ECDSAP256SHA256";
"ECDSAP384SHA384";
};If any of the keys using these CIPHERS will cause error till the key validation time not expired based on ttl.
https://support.f5.com/csp/article/K86554600
ECDHE-ECDSA-AES128-GCM-SHA256 (0xc02b) 128 TLS1.2 ECDHE ECDSA AES-GCM SHA256 ECDHE-ECDSA-AES128-SHA (0xc009) 128 TLS1, TLS1.1, TLS1.2 ECDHE ECDSA AES SHA ECDHE-ECDSA-AES128-SHA256 (0xc023) 128 TLS1.2 ECDHE ECDSA AES SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 (0xc02c) 256 TLS1.2 ECDHE ECDSA AES-GCM SHA384 ECDHE-ECDSA-AES256-SHA (0xc00a) 256 TLS1, TLS1.1, TLS1.2 ECDHE ECDSA AES SHA ECDHE-ECDSA-AES256-SHA384 (0xc024) 256 TLS1.2 ECDHE ECDSA AES SHA384 ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 (0xcca9) 256 TLS1.2 ECDHE ECDSA CHACHA20-POLY1305 NULL ECDH-ECDSA-AES128-GCM-SHA256 (0xc02d) 128 TLS1.2 ECDH ECDSA AES-GCM SHA256 ECDH-ECDSA-AES128-SHA (0xc004) 128 TLS1, TLS1.1, TLS1.2 ECDH ECDSA AES SHA ECDH-ECDSA-AES128-SHA256 (0xc025) 128 TLS1.2 ECDH ECDSA AES SHA256 ECDH-ECDSA-AES256-GCM-SHA384 (0xc02e) 256 TLS1.2 ECDH ECDSA AES-GCM SHA384 ECDH-ECDSA-AES256-SHA (0xc005) 256 TLS1, TLS1.1, TLS1.2 ECDH ECDSA AES SHA ECDH-ECDSA-AES256-SHA384 (0xc026) 256 TLS1.2 ECDH ECDSA AES SHA384 You can refer
K55150974: ECDSA algorithm is currently not supported for DNSSEC in DNS cache
https://support.f5.com/csp/article/K55150974
https://support.f5.com/csp/article/K55150974
https://support.f5.com/csp/article/K54424313
you can also refer
Zone Signing Key
Navigate to: DNS ›› Delivery : Keys : DNSSEC Key List
https://f5-agility-labs-dns.readthedocs.io/en/repo_cleanup/class2/module4/lab1.html
You can also see
signature-valid-period
If you don't have BIG-IP DNS provisioned then BIND should not be provisioned for end-user access.
If it is enabled then you can use the ZoneRunner interface to make the modification to the configuration. https://support.f5.com/csp/article/K6963
I believe DNS Cache/DNS Express don't rely on BIND (they are built into TMM) so should not be vulnerable to this issue.
- SolarJeans
Thanks for great explanation
