tmos vulnerability
1 TopicQuick check for TLS vulnerability CVE-2016-9244
Hi, to run a quick recursive search across all client-ssl profiles regarding vulnerability CVE-2016-9244 you can run the following one-liner: tmsh -q -c 'cd /; list ltm profile client-ssl one-line recursive' | \ grep -w 'session-ticket enabled' | grep -E --colour '(ltm profile client-ssl|session-ticket) [^ ]+' In case there is a (non-default) setting in an affected profile i.e. the following will be returned: ltm profile client-ssl Common/profile_lb-net.bit_clientssl { app-service none cert Common/cert_lb-net.bit.crt cert-key-chain { cert_lb-net.bit { cert Common/cert_lb-net.bit.crt key Common/cert_lb-net.bit.key } } chain none defaults-from Common/clientssl inherit-certkeychain true key Common/cert_lb-net.bit.key passphrase none session-ticket enabled } According to the Ask F5 solution the setting may be modified from WebUI in the affected client-ssl profiles advanced settings. To modify a vulnerable profile from CLI you may want to use i.e. the following syntax (make sure to set the trailing / in front of the admin partition: tmsh modify ltm profile client-ssl /Common/profile_lb-net.bit_clientssl session-ticket disabled tmsh save sys config partitions all Make sure to save the configuration and to config-sync. Thanks, Stephan PS: The setting for session-ticket (now disabled ) will remain in the partition specific bigip.conf.317Views0likes3Comments