BIGIP BIND for CVE-2022-38177

SolarJeans · ‎22-Nov-2022

Hello Expert,

My BIGIP are vulnerable by CVE-2022-38177 and we would like to apply the work around as stated in KB

disable-algorithms "." {
        "ECDSAP256SHA256";
        "ECDSAP384SHA384";
    };

From KB, it said all modules are impacted. So if I do not provision DNS module, how can I disable these algorithms in BIND?

JoshBecigneul · ‎23-Nov-2022

If you don't have BIG-IP DNS provisioned then BIND should not be provisioned for end-user access.

If it is enabled then you can use the ZoneRunner interface to make the modification to the configuration. https://support.f5.com/csp/article/K6963

I believe DNS Cache/DNS Express don't rely on BIND (they are built into TMM) so should not be vulnerable to this issue.

View solution in original post

F5_Design_Engineer · ‎22-Nov-2022

Hi SolarJeans,

You are referring t this F5 article am I right

BIND vulnerability CVE-2022-38177 (f5.com)

there are 2 workaround told

Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in column. If the Fixes introduced in column does not list a version for your branch, then no update candidate currently exists for that branch and F5 recommends upgrading to a version with the fix (refer to the table).

If the Fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix.

Upgrade the OS version to not Vulnerable

the one which you are talking is a mitigation but you never know if your OS version is still open and containing other vulnerabilities.

hence in order to decide can you please share your OS version .

SolarJeans · ‎22-Nov-2022

Hello F5_Design_Engineer

My version is 15.1.6 so there is no patch which can fix it.

And we would like to do mitigation in this situation, which is disabled the algorithms.

F5_Design_Engineer · ‎22-Nov-2022

Hi @SolarJeans ,

For 15.1.x OS version following ciphers will get impacted , see the last column for 256 or 384

when you will disable

disable-algorithms "." {
        "ECDSAP256SHA256";
        "ECDSAP384SHA384";
    };

If any of the keys using these CIPHERS will cause error till the key validation time not expired based on ttl.

https://support.f5.com/csp/article/K86554600

ECDHE-ECDSA-AES128-GCM-SHA256 (0xc02b)	128	TLS1.2	ECDHE	ECDSA	AES-GCM	SHA256
ECDHE-ECDSA-AES128-SHA (0xc009)	128	TLS1, TLS1.1, TLS1.2	ECDHE	ECDSA	AES	SHA
ECDHE-ECDSA-AES128-SHA256 (0xc023)	128	TLS1.2	ECDHE	ECDSA	AES	SHA256
ECDHE-ECDSA-AES256-GCM-SHA384 (0xc02c)	256	TLS1.2	ECDHE	ECDSA	AES-GCM	SHA384
ECDHE-ECDSA-AES256-SHA (0xc00a)	256	TLS1, TLS1.1, TLS1.2	ECDHE	ECDSA	AES	SHA
ECDHE-ECDSA-AES256-SHA384 (0xc024)	256	TLS1.2	ECDHE	ECDSA	AES	SHA384
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 (0xcca9)	256	TLS1.2	ECDHE	ECDSA	CHACHA20-POLY1305	NULL
ECDH-ECDSA-AES128-GCM-SHA256 (0xc02d)	128	TLS1.2	ECDH	ECDSA	AES-GCM	SHA256
ECDH-ECDSA-AES128-SHA (0xc004)	128	TLS1, TLS1.1, TLS1.2	ECDH	ECDSA	AES	SHA
ECDH-ECDSA-AES128-SHA256 (0xc025)	128	TLS1.2	ECDH	ECDSA	AES	SHA256
ECDH-ECDSA-AES256-GCM-SHA384 (0xc02e)	256	TLS1.2	ECDH	ECDSA	AES-GCM	SHA384
ECDH-ECDSA-AES256-SHA (0xc005)	256	TLS1, TLS1.1, TLS1.2	ECDH	ECDSA	AES	SHA
ECDH-ECDSA-AES256-SHA384 (0xc026)	256	TLS1.2	ECDH	ECDSA	AES	SHA384

You can refer

K55150974: ECDSA algorithm is currently not supported for DNSSEC in DNS cache

https://support.f5.com/csp/article/K55150974

https://support.f5.com/csp/article/K54424313

you can also refer

Zone Signing Key

Navigate to: DNS ›› Delivery : Keys : DNSSEC Key List

https://f5-agility-labs-dns.readthedocs.io/en/repo_cleanup/class2/module4/lab1.html

You can also see

signature-valid-period

SolarJeans · ‎23-Nov-2022

Hello,

Thanks for your explanation.

If only LTM or LC provisioned, how can I disable the algorithm in BIND?

I check the KB and named.conf is configure in DNS module.

JoshBecigneul · ‎23-Nov-2022