Forum Discussion

SolarJeans's avatar
SolarJeans
Icon for Cirrus rankCirrus
Nov 23, 2022

BIGIP BIND for CVE-2022-38177

Hello Expert, My BIGIP are vulnerable by CVE-2022-38177 and we would like to apply the work around as stated in KB disable-algorithms "." {         "ECDSAP256SHA256";         "ECDSAP384SHA384"; ...
application delivery
  • JoshBecigneul's avatar
    JoshBecigneul
    Nov 24, 2022

    If you don't have BIG-IP DNS provisioned then BIND should not be provisioned for end-user access.

    If it is enabled then you can use the ZoneRunner interface to make the modification to the configuration. https://support.f5.com/csp/article/K6963 

    I believe DNS Cache/DNS Express don't rely on BIND (they are built into TMM) so should not be vulnerable to this issue.

SolarJeans's avatar
SolarJeans
Icon for Cirrus rankCirrus

Hello F5_Design_Engineer

My version is 15.1.6 so there is no patch which can fix it.

And we would like to do mitigation in this situation, which is disabled the algorithms.

F5_Design_Engineer's avatar
F5_Design_Engineer
Icon for MVP rankMVP
Nov 23, 2022

Hi SolarJeans ,

For 15.1.x OS version following ciphers will get impacted , see the last column for 256 or 384

when you will disable 

disable-algorithms "." {
        "ECDSAP256SHA256";
        "ECDSAP384SHA384";
    };

 

If any of the keys using these CIPHERS will cause error till the key validation time not expired based on ttl.

 

https://support.f5.com/csp/article/K86554600

 

ECDHE-ECDSA-AES128-GCM-SHA256 (0xc02b)128TLS1.2ECDHEECDSAAES-GCMSHA256
ECDHE-ECDSA-AES128-SHA (0xc009)128TLS1, TLS1.1, TLS1.2ECDHEECDSAAESSHA
ECDHE-ECDSA-AES128-SHA256 (0xc023)128TLS1.2ECDHEECDSAAESSHA256
ECDHE-ECDSA-AES256-GCM-SHA384 (0xc02c)256TLS1.2ECDHEECDSAAES-GCMSHA384
ECDHE-ECDSA-AES256-SHA (0xc00a)256TLS1, TLS1.1, TLS1.2ECDHEECDSAAESSHA
ECDHE-ECDSA-AES256-SHA384 (0xc024)256TLS1.2ECDHEECDSAAESSHA384
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 (0xcca9)256TLS1.2ECDHEECDSACHACHA20-POLY1305NULL
ECDH-ECDSA-AES128-GCM-SHA256 (0xc02d)128TLS1.2ECDHECDSAAES-GCMSHA256
ECDH-ECDSA-AES128-SHA (0xc004)128TLS1, TLS1.1, TLS1.2ECDHECDSAAESSHA
ECDH-ECDSA-AES128-SHA256 (0xc025)128TLS1.2ECDHECDSAAESSHA256
ECDH-ECDSA-AES256-GCM-SHA384 (0xc02e)256TLS1.2ECDHECDSAAES-GCMSHA384
ECDH-ECDSA-AES256-SHA (0xc005)256TLS1, TLS1.1, TLS1.2ECDHECDSAAESSHA
ECDH-ECDSA-AES256-SHA384 (0xc026)256TLS1.2ECDHECDSAAESSHA384

You can refer

K55150974: ECDSA algorithm is currently not supported for DNSSEC in DNS cache

https://support.f5.com/csp/article/K55150974

https://support.f5.com/csp/article/K55150974

https://support.f5.com/csp/article/K54424313

 

you can also refer

Zone Signing Key

Navigate to: DNS ›› Delivery : Keys : DNSSEC Key List

https://f5-agility-labs-dns.readthedocs.io/en/repo_cleanup/class2/module4/lab1.html

You can also see 

signature-valid-period

 

  • SolarJeans's avatar
    SolarJeans
    Icon for Cirrus rankCirrus
    Nov 23, 2022

    Hello,

    Thanks for your explanation.

    If only LTM or LC provisioned, how can I disable the algorithm in BIND?

    I check the KB and named.conf is configure in DNS module.