Forum Discussion
NimbostratusLink Controller - Vulnerabilities Encountered
Hello guys,
Hope you could help me to solve the following issues (I think it is not an up-to-date requirement due to the type of issue, buy anyway)
I performed a vulnerabilities scan to a Link Controller version 10.2.4 many days ago. The following lines describes what I found:
1. CVE-2006-4924. To solve this, the scanner suggests an upgrade of OpenSSH service. I have looked for any document of F5 which explains how to do this, but I haven't succeded. In the link: http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6736.html it says that the version of my LC is not affected, but the scanner tells the opposite. At this point, what about upgrading the whole system to version 11? Would it allow the LC to have an OpenSSH version after 4.3?
2. CVE-2008-1483. Is there a patch in F5 t mitigate this vulnerability? The scanner tells that this vulnerability is also due to the version of OpenSSH. Again, in http://support.f5.com/kb/en-us/solutions/public/ it says that LC 10.2.4 is not affected.
3. 128-bit key usage: It is well-known that LC doesn't perform SSL Offload tasks, so this vulnerability is not relevant. However, it would be possible to manage a larger key if we consider the idea that LC would publish its service as an entity in the world?
Again... Hope you could help me ASAP.
Thanks in advance
Best regards
Jorge
2 Replies
ITOPSNetwTeam_6Hi Jorge,
It is not secure to allow anybody from the internet tot access your link controller through SSH, this access should be blocked.
You can do this by defining a port lockdown on the Internet-facing self IPs. Choose 'allow custom' and allow only tcp 53, tcp 4353, udp 53, icmp.
You can also define an IP-filter to limit ssh to only specific IP-addresses and block the others.
Regards,
Ivo
jmanya_44531Hello Ivo,
Thanks a lot for responding.
One important thing I didn't mention in my first post: The box is not running in a production environment, I would be able to install and deploy it once the vulnerabilities are mitigated.
Yes, blocking 22 port traffic for my Self-IPs is the best way to secure my box, but there is a requirement from the security department which consists on looking for a patch to mitigate those vulnerabilities. The scanner suggests that a SSH version 2 must be used. It also suggests that I have to add the line: "AddressFamily inet6" in the file sshd_config. After upgrading to BIG-IP 10.2.4 Build 817.0 Hotfix HF7, the box fulfills those requirements. The scanner is working right now in order to test again. Hope it works.
In the other hand, a better explanation of the third vulnerability is that my box is using weak SSL cipher algorithms. The result from the scanner is as follows:
The SSL-based service running on this host appears to support the use of "weak" ciphers, which are those that have key-lengths of less than 128 bits.
Service: Apache
Evidency:
Cipher: DES-CBC-SHA
Cipher: EDH-RSA-DES-CBC-SHA
Cipher: EXP-DES-CBC-SHA
Cipher: EXP-EDH-RSA-DES-CBC-SHA
Maybe, by telling Apache it refers to the server which allows GUI access?
The scanner suggests I have to use the string SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL, but when I try to change it in the clientssl or serverssl profile it displays the error: Instance not found: clientssl. I suppose it happens because my box is a Link Controller. By using the command "bigpipe profile clientssl clientssl \{ ciphers \"-HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL\" \}" in CLI, I could change that string, but I am not sure about the results of applying it because my LC is going to load balance https traffic (the web server is responsible for performing SSL Offload).
Hope you could guide me to get the box able to be installed.
Regards
Jorge
