Forum Discussion

SolarJeans's avatar
Nov 23, 2022

BIGIP BIND for CVE-2022-38177

Hello Expert,

My BIGIP are vulnerable by CVE-2022-38177 and we would like to apply the work around as stated in KB

disable-algorithms "." {
        "ECDSAP256SHA256";
        "ECDSAP384SHA384";
    };

From KB, it said all modules are impacted. So if I do not provision DNS module, how can I disable these algorithms in BIND?

 

  • If you don't have BIG-IP DNS provisioned then BIND should not be provisioned for end-user access.

    If it is enabled then you can use the ZoneRunner interface to make the modification to the configuration. https://support.f5.com/csp/article/K6963 

    I believe DNS Cache/DNS Express don't rely on BIND (they are built into TMM) so should not be vulnerable to this issue.

  • Hi SolarJeans,

     

    You are referring t this F5 article am I right

     

    BIND vulnerability CVE-2022-38177 (f5.com)

    there are 2 workaround told 

    Recommended Actions

    If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in column. If the Fixes introduced in column does not list a version for your branch, then no update candidate currently exists for that branch and F5 recommends upgrading to a version with the fix (refer to the table).

    If the Fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix.

    Upgrade the OS version to not Vulnerable

     

    the one which you are talking is a mitigation but you never know if your OS version is still open and containing other vulnerabilities.

     

    hence in order to decide can you please share your OS version .

     

    • SolarJeans's avatar
      SolarJeans
      Icon for Cirrus rankCirrus

      Hello F5_Design_Engineer

      My version is 15.1.6 so there is no patch which can fix it.

      And we would like to do mitigation in this situation, which is disabled the algorithms.

      • Hi SolarJeans ,

        For 15.1.x OS version following ciphers will get impacted , see the last column for 256 or 384

        when you will disable 

        disable-algorithms "." {
                "ECDSAP256SHA256";
                "ECDSAP384SHA384";
            };

         

        If any of the keys using these CIPHERS will cause error till the key validation time not expired based on ttl.

         

        https://support.f5.com/csp/article/K86554600

         

        ECDHE-ECDSA-AES128-GCM-SHA256 (0xc02b)128TLS1.2ECDHEECDSAAES-GCMSHA256
        ECDHE-ECDSA-AES128-SHA (0xc009)128TLS1, TLS1.1, TLS1.2ECDHEECDSAAESSHA
        ECDHE-ECDSA-AES128-SHA256 (0xc023)128TLS1.2ECDHEECDSAAESSHA256
        ECDHE-ECDSA-AES256-GCM-SHA384 (0xc02c)256TLS1.2ECDHEECDSAAES-GCMSHA384
        ECDHE-ECDSA-AES256-SHA (0xc00a)256TLS1, TLS1.1, TLS1.2ECDHEECDSAAESSHA
        ECDHE-ECDSA-AES256-SHA384 (0xc024)256TLS1.2ECDHEECDSAAESSHA384
        ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 (0xcca9)256TLS1.2ECDHEECDSACHACHA20-POLY1305NULL
        ECDH-ECDSA-AES128-GCM-SHA256 (0xc02d)128TLS1.2ECDHECDSAAES-GCMSHA256
        ECDH-ECDSA-AES128-SHA (0xc004)128TLS1, TLS1.1, TLS1.2ECDHECDSAAESSHA
        ECDH-ECDSA-AES128-SHA256 (0xc025)128TLS1.2ECDHECDSAAESSHA256
        ECDH-ECDSA-AES256-GCM-SHA384 (0xc02e)256TLS1.2ECDHECDSAAES-GCMSHA384
        ECDH-ECDSA-AES256-SHA (0xc005)256TLS1, TLS1.1, TLS1.2ECDHECDSAAESSHA
        ECDH-ECDSA-AES256-SHA384 (0xc026)256TLS1.2ECDHECDSAAESSHA384

        You can refer

        K55150974: ECDSA algorithm is currently not supported for DNSSEC in DNS cache

        https://support.f5.com/csp/article/K55150974

        https://support.f5.com/csp/article/K55150974

        https://support.f5.com/csp/article/K54424313

         

        you can also refer

        Zone Signing Key

        Navigate to: DNS ›› Delivery : Keys : DNSSEC Key List

        https://f5-agility-labs-dns.readthedocs.io/en/repo_cleanup/class2/module4/lab1.html

        You can also see 

        signature-valid-period

         

  • If you don't have BIG-IP DNS provisioned then BIND should not be provisioned for end-user access.

    If it is enabled then you can use the ZoneRunner interface to make the modification to the configuration. https://support.f5.com/csp/article/K6963 

    I believe DNS Cache/DNS Express don't rely on BIND (they are built into TMM) so should not be vulnerable to this issue.