Forum Discussion
Stephan_Manthe1
Nimbostratus
NimbostratusQuick check for TLS vulnerability CVE-2016-9244
Hi,
to run a quick recursive search across all client-ssl profiles regarding vulnerability CVE-2016-9244 you can run the following one-liner:
tmsh -q -c 'cd /; list ltm profile client-ssl one-line recursive' | \
grep -w 'session-ticket enabled' | grep -E --colour '(ltm profile client-ssl|session-ticket) [^ ]+'
In case there is a (non-default) setting in an affected profile i.e. the following will be returned:
ltm profile client-ssl Common/profile_lb-net.bit_clientssl { app-service none cert Common/cert_lb-net.bit.crt cert-key-chain { cert_lb-net.bit { cert Common/cert_lb-net.bit.crt key Common/cert_lb-net.bit.key } } chain none defaults-from Common/clientssl inherit-certkeychain true key Common/cert_lb-net.bit.key passphrase none session-ticket enabled }According to the Ask F5 solution the setting may be modified from WebUI in the affected client-ssl profiles advanced settings.
To modify a vulnerable profile from CLI you may want to use i.e. the following syntax (make sure to set the trailing / in front of the admin partition:
tmsh modify ltm profile client-ssl /Common/profile_lb-net.bit_clientssl session-ticket disabled
tmsh save sys config partitions all
Make sure to save the configuration and to config-sync.
Thanks, Stephan
PS: The setting for
session-ticketdisabled
JGCumulonimbus
The first command returns entries with "session-ticket disabled" as well. You might want to filter those out.
Hi Jie,
thanks and +1 for the comment. I updated the filter accordingly.
Btw, I guess this will only appear in configuration where the custom settings checkbox is set.
This will be the case as well, when running the tmsh command to disable the setting. I guess, it can be cleared from WebUI, by editing the bigip.conf or by merging an updated configuration.
Thanks, Stephan
Peter_Soppe_715Thanks for this excellent article. This saved me lots of time :-)
Peter
