cancel
Showing results for 
Search instead for 
Did you mean: 

F5 Bigip and CVE-2020-1971

CGI
Altostratus
Altostratus

Anyone know the status of F5 Bigip LTM version 15.1 and CVE-2020-1971, is there any changes required or is the F5 not affected

by this bug ?

 

/Craig

5 REPLIES 5

MegaZone
F5 Employee
F5 Employee

As this is a fairly new CVE I recommend opening a support case to get an official answer.

From the articles I read - The high risk vulnerability is affected on Openssl 1.1.1 & 1.0.2 versions. F5 v15 is running on 1.0.2, so yes this version might be affected.

Fixed in 1.1.1l​.

We should wait for an official confirmation on this.​

Tom_Schaefer
Altostratus
Altostratus

We did open a support case 6 weeks ago now. The F5 answer was they are evaluating it and we should just keep checking for HotFixes or other content to see if there will be a change. My security folks are not very pleased with that answer so I hope this is reviewed faster. We just pinged the case again yesterday but they are itching to close it since they have no response.

 

I would settle for a workaround but I believe doing anything in an iRule would be too late in the process when using TLS in the BIG-IP.

The Security Advisory was published last week: https://support.f5.com/csp/article/K42910051

 

As far as I know, the only mitigation is ingesting only trusted CRLs.

I believe dealing with CRLs has more to do with what the functions was supposed to do. Looking at the description (and the code for the openssl fix), it would seem a mitigation would be to compare the type before the TLS session is created. I was thinking that an iRule with code handling the CLIENTSSL_CLIENTHELLO

event could use SSL::extensions to check if both GENERAL_NAMEs contain an EDIPARTYNAME (which is what triggers the error).

 

I do not know enough yet on how to dig into the type to check it yet. I also do not know for certain doing this in an iRule catches it early enough.

 

Obviously the best solution is for F5 to adopt the OpenSSL fix in OpenSSL 1.1.1i or OpenSSL 1.0.2x.