cancel
Showing results for 
Search instead for 
Did you mean: 

BIGIP BIND for CVE-2022-38177

SolarJeans
Altostratus
Altostratus

Hello Expert,

My BIGIP are vulnerable by CVE-2022-38177 and we would like to apply the work around as stated in KB

disable-algorithms "." {
        "ECDSAP256SHA256";
        "ECDSAP384SHA384";
    };

From KB, it said all modules are impacted. So if I do not provision DNS module, how can I disable these algorithms in BIND?

 

5 REPLIES 5

Hi SolarJeans,

 

You are referring t this F5 article am I right

 

BIND vulnerability CVE-2022-38177 (f5.com)

there are 2 workaround told 

Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in column. If the Fixes introduced in column does not list a version for your branch, then no update candidate currently exists for that branch and F5 recommends upgrading to a version with the fix (refer to the table).

If the Fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix.

Upgrade the OS version to not Vulnerable

 

the one which you are talking is a mitigation but you never know if your OS version is still open and containing other vulnerabilities.

 

hence in order to decide can you please share your OS version .

 

Hello F5_Design_Engineer

My version is 15.1.6 so there is no patch which can fix it.

And we would like to do mitigation in this situation, which is disabled the algorithms.

Hi @SolarJeans ,

For 15.1.x OS version following ciphers will get impacted , see the last column for 256 or 384

when you will disable 

disable-algorithms "." {
        "ECDSAP256SHA256";
        "ECDSAP384SHA384";
    };

 

If any of the keys using these CIPHERS will cause error till the key validation time not expired based on ttl.

F5_Design_Engineer_0-1669187480519.png

 

https://support.f5.com/csp/article/K86554600

 

ECDHE-ECDSA-AES128-GCM-SHA256 (0xc02b)128TLS1.2ECDHEECDSAAES-GCMSHA256
ECDHE-ECDSA-AES128-SHA (0xc009)128TLS1, TLS1.1, TLS1.2ECDHEECDSAAESSHA
ECDHE-ECDSA-AES128-SHA256 (0xc023)128TLS1.2ECDHEECDSAAESSHA256
ECDHE-ECDSA-AES256-GCM-SHA384 (0xc02c)256TLS1.2ECDHEECDSAAES-GCMSHA384
ECDHE-ECDSA-AES256-SHA (0xc00a)256TLS1, TLS1.1, TLS1.2ECDHEECDSAAESSHA
ECDHE-ECDSA-AES256-SHA384 (0xc024)256TLS1.2ECDHEECDSAAESSHA384
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 (0xcca9)256TLS1.2ECDHEECDSACHACHA20-POLY1305NULL
ECDH-ECDSA-AES128-GCM-SHA256 (0xc02d)128TLS1.2ECDHECDSAAES-GCMSHA256
ECDH-ECDSA-AES128-SHA (0xc004)128TLS1, TLS1.1, TLS1.2ECDHECDSAAESSHA
ECDH-ECDSA-AES128-SHA256 (0xc025)128TLS1.2ECDHECDSAAESSHA256
ECDH-ECDSA-AES256-GCM-SHA384 (0xc02e)256TLS1.2ECDHECDSAAES-GCMSHA384
ECDH-ECDSA-AES256-SHA (0xc005)256TLS1, TLS1.1, TLS1.2ECDHECDSAAESSHA
ECDH-ECDSA-AES256-SHA384 (0xc026)256TLS1.2ECDHECDSAAESSHA384

You can refer

K55150974: ECDSA algorithm is currently not supported for DNSSEC in DNS cache

https://support.f5.com/csp/article/K55150974

https://support.f5.com/csp/article/K55150974

https://support.f5.com/csp/article/K54424313

 

you can also refer

Zone Signing Key

Navigate to: DNS ›› Delivery : Keys : DNSSEC Key List

https://f5-agility-labs-dns.readthedocs.io/en/repo_cleanup/class2/module4/lab1.html

You can also see 

signature-valid-period

 

Hello,

Thanks for your explanation.

If only LTM or LC provisioned, how can I disable the algorithm in BIND?

I check the KB and named.conf is configure in DNS module.

If you don't have BIG-IP DNS provisioned then BIND should not be provisioned for end-user access.

If it is enabled then you can use the ZoneRunner interface to make the modification to the configuration. https://support.f5.com/csp/article/K6963 

I believe DNS Cache/DNS Express don't rely on BIND (they are built into TMM) so should not be vulnerable to this issue.