OpenSSL HeartBleed, CVE-2014-0160

Get the latest updates on how F5 mitigates HeartbleedGet the latest updates on how F5 mitigates Heartbleed

The Heartbleed attack in OpenSSL 1.0.1 and beyond allows an attacker to get up to 64k of process data from a TLS heartbeat response. The 64k of data will quite often contain sensitive information such as keys or passwords. There are quite a few exploits in the wild already for this attack.

F5 has analyzed this attack and we are pleased to say that BIG-IP data traffic using an SSL profile with default ciphers is not vulnerable to this attack. BIG-IP SSL profiles terminate the SSL traffic on the BIG-IP, so the malicious heartbeat never gets to your webservers. TLS heartbeats are not enabled on current versions of BIG-IP, so any virtual server protected by an SSL profile is not vulnerable.

However, if you are not using the SSL termination capabilities of the BIG-IP, then the attack will pass directly through the BIG-IP and to the webservers. You may be vulnerable depending on the webservers you use.

BIG-IP versions 11.5.0 and 11.5.1 do use OpenSSL 1.0.1 for the management GUI and are vulnerable to the attack. Versions of BIG-IP older than 11.5 are not vulnerable.

F5 encourages using a private management network that is not connected to the internet.

A hotfix is available for the management GUI.

Get the latest updates on how F5 mitigates Heartbleed

See the AskF5 solution for more information.

A mitigation for virtual servers that do not use SSL termination

If you are using a simple load balancing virtual server without an SSL profile, then the traffic is passing directly to your webservers.

My great F5 colleagues and I have written an iRule that mitigates this vulnerability when the client sends a heartbeat. Since we haven't seen a valid client that sends heartbearts, we like this solution. If you have clients that do send valid heartbeats, then we have an iRule that watches for large heartbeat responses and kills the connection before they are sent to the client.

Published Apr 09, 2014
Version 1.0
application delivery
devops
heartbleed
iRules
security
  • Byron_Ater_1504's avatar
    Byron_Ater_1504
    Icon for Nimbostratus rankNimbostratus
    Apr 09, 2014
    Found that the following version 10.2.1 is not vulnerable as it does not look for a hearbeat
  • Faruk_Grozdanic's avatar
    Faruk_Grozdanic
    Historic F5 Account
    Apr 09, 2014
    F5 LineRate Application Proxy product is not vulnerable by this bug as it uses openSSL version 0.9.8. Users could confirm this by entering bash shell and executing 'ssh -V' which will list openssl library version used by the system.
  • opediggitty_692's avatar
    opediggitty_692
    Icon for Nimbostratus rankNimbostratus
    Apr 11, 2014
    When you say

     

     

    "However, if you are not using the SSL termination capabilities of the BIG-IP, then the attack will pass directly through the BIG-IP and to the webservers. You may be vulnerable depending on the webservers you use."

     

     

    Are you talking about anyone that is not using the built-in ssl profiles at all (meaning they are not even using a VIP), or do you mean anyone that is using the ssl profiles but simply does not terminate it there and reencrypts the traffic to then send on to the destination server?
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Apr 11, 2014
    he is saying that if you are not offloading ssl, but simply load balancing ssl traffic back to servers that are offloading, then the vulnerability would need to be addressed at the servers themselves.
  • Joel_Moses's avatar
    Joel_Moses
    Icon for Nimbostratus rankNimbostratus
    Apr 11, 2014
    It should be noted that although Edge Client is linked to a vulnerable version of OpenSSL, it's nowhere near as risky as use of the same library on a server process which is actively listening all the time. In a client scenario, the listener must actively connect to a malicious server, and in the case of Edge Client, that possibility is remote (unless you're the type of person that blindly configures your VPN client to connect to just any 'ol server hostname that people send you).

     

     

    The client components will be patched for sure; but don't slow down your mitigation tasks on your servers while hunting and fixing clients that use the vulnerable OpenSSL library...
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    May 19, 2014
    Can the article be updated to state that there are now fixes for all of the TMOS/LTM vulnerabilities?