CVE-2014-3566: Removing SSLv3 from BIG-IP
The POODLE (CVE-214-03566) vulnerability can force a client to negotiate SSLv3 instead of TLSv1.x ciphers. Then a BEAST-like attack can be conducted against SSLv3 to obtain information from the encrypted stream. This isn't necessarily a new attack, and there has been some speculation about how feasible attacks like BEAST are in the real world, but POODLE makes BEAST much easier.
F5 has analyzed the situation and recommends customers disable SSLv3 when possible.
This article will give you the information you need to disable SSLv3. Please also consult the official F5 SOL 15702.
Background
SOL8802 provides a starting point for information about TLS on a BIG-IP. It has many links to help you change your cipher specifications for the different versions of BIG-IP. I’ll be making references to many of the linked SOLutions in this article.
Second, please read my article from last year about cipher selection.
If you disable SSLv3 ciphers, you may be locking out some legacy clients. Wikipedia has a great table for SSL/TLS browser support. Always test to make sure that you haven’t blocked legitimate clients. If you know of legacy SSLv3 clients, you may want to upgrade them as soon as possible.
On a BIG-IP, SSL/TLS is used in multiple ways, including for the data plane and to the management GUI This posting will cover both of these vectors. Finally, we’ll talk about outbound connections from a BIG-IP, including monitors.
Data plane
In 11.5.0, F5 made the decision to be secure by default and disable SSLv3 ciphers by default for the traffic path. This is documented in SOL15022.
If you are running 11.5.0 or later, your default clientssl and serverssl profiles do not contain SSLv3 ciphers and SSLv3 cannot be negotiated. If your SSL profile derives from these profiles, your application is not vulnerable.
On all versions, you can disable SSLv3 ciphers by adding the string “!SSLv3” to your clienssl or serverssl profile.
The procedure to change your ciphers is well described in SOL 13171.
Please note that by default all clientssl and serverssl profiles inherit from the base profiles. If you have changed your ciphers in any of your SSL profiles, you will have to add “!SSLv3” to those profiles' cipher lists also.
Management plane
BIG-IP has a management GUI that is contacted over SSL. By default, SSLv3 ciphers are enabled on all releases.
This is configurable and covered in SOL 13405. To remove SSLv3 from 11.5.x and 11.6.x, you can disable SSLv3 via the command console like this:
[root@bigip1:Active:Standalone] templates # tmsh list /sys httpd
sys httpd {
ssl-protocol "all -SSLv2"
}
[root@bigip1:Active:Standalone] templates # tmsh modify /sys httpd ssl-protocol "all -SSLv2 -SSLv3"
We are still working on a comprehensive solution for versions prior to 11.5.x.
Outbound connections
Many outbound connections are made by BIG-IP, including monitors. These may use SSLv3, but are not full fledged browsers and make single connections rather than the multiple transactions required for the attack. We believe these connections are not vulnerable.
Testing for SSLv3 connections
You can test for SSLv3 is enabled with a simple command line from a machine with OpenSSL installed.
# openssl s_client -connect target:443 -ssl3
If the command makes you enter more information, then you just made an SSLv3 connection. If the command returns you to a prompt right away, then SSLv3 is disabled on that target host.
Conclusion
F5 has not seen this attack in the wild. The security community has known about BEAST and similar attacks for some time. F5 took the first step to removing SSLv3 in 11.5.0. We will continue to make “secure by default” choices for future versions.
Updated Mar 18, 2022
Version 2.0
- Addressing Rishabh's question: If the "No SSLv3" option is enabled, then the cipher string modification is not required. Also, to address your point of modifying the base profile: If a base profile is modified in this manner, all profiles inherited from that base profile will take the same affect. I should also mention that v11.5.0 onwards, SSLv3 is not included in the DEFAULT ciphersuites.
Deepak123_16590Nimbostratus
what we should do if we running 9.2.x?
Deepak__M_K_165Is the version 9.2.x is vulnarable or do f5 have a fix ?- Tested on 11.4.0 and 11.4.1 (this is not official): Edit the file /config/httpd/conf.d/ssl.conf: line 'SSLProtocol all' to: 'SSLProtocol all -SSLv2 -SSLv3'. then: 'bigstart httpd restart'.
- •Google intends to remove SSL 3.0 fallback support from its clients, such as Chrome (http://googleonlinesecurity.blogspot.de/2014/10/this-poodle-bites-exploiting-ssl-30.html) •Slack (https://twitter.com/SlackHQ/status/522287581862457345) and Twitter (https://twitter.com/twittersecurity/status/522190947782643712) no longer support SSL 3.0. •Mozilla (https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/) will kill Firefox’s support for SSL 3.0 in version 34, due November 25. •Tor (https://lists.torproject.org/pipermail/tor-talk/2014-October/035228.html), designed to aid online anonymity, does not in itself support SSL 3.0, but its Firefox-based browser does and will also need updating. The post gives instructions on disabling SSL 3.0 manually.
YosYam_100630>Edit the file /config/httpd/conf.d/ssl.conf: line 'SSLProtocol all' to: 'SSLProtocol all -SSLv2 -SSLv3'. then: 'bigstart httpd restart'. But after the reboot, ssl.conf reverts to old conf...
jba3126Cirrus
For those that are on version 10.2.3 - 10.2.4 and are unable to break away from SSLv3 the following cipher may be helpful. What it does is offer up the Default F5 Ciphers for your version and negates the use of RC4 (CVE-2013-2566), and CBC/CBC3 (CVE-2014-3566) ciphers, orders according to strength, and yet still allows for some usage of the SSLv3 protocol. This won't get you any awards with your clients that are looking for the complete removal of SSLv3, but will allow you to assess your usage and migrate. Also if any of your clients run a security scan it will most likely will come up with low grade and vulnerable (Example Qualys SSL Labs) because they are not looking at which ciphers you are using. Last but not least, if you want to support IE 6 you will need to remove the negation of RC4 (not recommended). DEFAULT:!RC4:!DES-CBC3-SHA:@STRENGTH Note: In general use caution when running the tmm command. I have caused a box to crash and reboot by not providing the correct options on another unrelated command. What this command does is show you the yield of your client cipher settings. This is extremely helpful to know what you are offering up based on what you set in your SSL profiles cipher setting. [mytypedoverusername@lab-lb1:Active] ~ tmm --clientciphers 'DEFAULT:!RC4:!DES-CBC3-SHA:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 3: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 4: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 5: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 8: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 9: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA- William_Ng_55_1my F5 version is 10.2.4 LTM I tried to try the command to test SSL3, my dump screen as follow openssl s_client -connect target:443 -ssl3 getaddrinfo: Name or service not known connect:errno=2 What's result mean?
pi11_72182Is it possible to add an iRule that logs if someone negotiates on sslv3... we would like to know approximately how many endusers we will end up dropping if we disable SSLv3. Thanks!
John_Heyer_1508Cirrostratus
I upgraded to 11.5.1 HF6 and SSL labs now reports that TLS_FALLBACK_SCSV is supported. Didn't see anything about it in the release notes. Weird.
