For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jmanya_44531's avatar
jmanya_44531
Icon for Nimbostratus rankNimbostratus
Jul 02, 2013

Link Controller - Vulnerabilities Encountered

Hello guys,   Hope you could help me to solve the following issues (I think it is not an up-to-date requirement due to the type of issue, buy anyway)   I performed a vulnerabilities scan to a L...
security
jmanya_44531's avatar
jmanya_44531
Icon for Nimbostratus rankNimbostratus
Jul 13, 2013
Hello Ivo,

 

 

Thanks a lot for responding.

 

 

One important thing I didn't mention in my first post: The box is not running in a production environment, I would be able to install and deploy it once the vulnerabilities are mitigated.

 

 

Yes, blocking 22 port traffic for my Self-IPs is the best way to secure my box, but there is a requirement from the security department which consists on looking for a patch to mitigate those vulnerabilities. The scanner suggests that a SSH version 2 must be used. It also suggests that I have to add the line: "AddressFamily inet6" in the file sshd_config. After upgrading to BIG-IP 10.2.4 Build 817.0 Hotfix HF7, the box fulfills those requirements. The scanner is working right now in order to test again. Hope it works.

 

 

In the other hand, a better explanation of the third vulnerability is that my box is using weak SSL cipher algorithms. The result from the scanner is as follows:

 

The SSL-based service running on this host appears to support the use of "weak" ciphers, which are those that have key-lengths of less than 128 bits.

 

Service: Apache

 

Evidency:

 

Cipher: DES-CBC-SHA

 

Cipher: EDH-RSA-DES-CBC-SHA

 

Cipher: EXP-DES-CBC-SHA

 

Cipher: EXP-EDH-RSA-DES-CBC-SHA

 

 

Maybe, by telling Apache it refers to the server which allows GUI access?

 

 

The scanner suggests I have to use the string SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL, but when I try to change it in the clientssl or serverssl profile it displays the error: Instance not found: clientssl. I suppose it happens because my box is a Link Controller. By using the command "bigpipe profile clientssl clientssl \{ ciphers \"-HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL\" \}" in CLI, I could change that string, but I am not sure about the results of applying it because my LC is going to load balance https traffic (the web server is responsible for performing SSL Offload).

 

 

Hope you could guide me to get the box able to be installed.

 

 

Regards

 

 

Jorge