SSL Ticketbleed vulnerability (CVE-2016-9244)-f5-all

SSL Ticketbleed vulnerability (CVE-2016-9244)-f5-all
0

SSL Ticketbleed vulnerability (CVE-2016-9244)-f5-all

Vendor: f5

OS: all

Description:
In February of 2017, F5 users were notified of a new vulnerability in certain versions of BIG-IP. indeni will alert if any devices are vulnerable.

Remediation Steps:
Read https://support.f5.com/csp/article/K05121675

How does this work?
This alert uses the iControl REST interface to determine which SSL Client profiles that are using “session tickets”.

Why is this important?
Ticketbleed is a vulnerability on F5 products that enables the attacker to extract up to 31 bytes of uninitialized memory at a time. The memory leak may contain sensitive data or even key material.

Without Indeni how would you find this?
An adminstrator would have to login to the device through SSH, execute the command “tmsh -q -c ‘cd /; list ltm profile client-ssl one-line recursive’”. The output would then have to be parsed to determine if any of the client ssl profiles has “session-ticket” set to “enabled”.

f5-rest-mgmt-tm-ltm-profile-client-ssl

name: f5-rest-mgmt-tm-ltm-profile-client-ssl
description: Determine if an ssl profile is vulnerable to ticket bleed or not
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: f5
    product: load-balancer
    rest-api: 'true'
comments:
    ssl-weak-impl:
        why: |
            Ticketbleed is a vulnerability on F5 products that enables the attacker to extract up to 31 bytes of uninitialized memory at a time. The memory leak may contain sensitive data or even key material.
        how: |
            This alert uses the iControl REST interface to determine which SSL Client profiles that are using "session tickets".
        without-indeni: |
            An adminstrator would have to login to the device through SSH, execute the command "tmsh -q -c 'cd /; list ltm profile client-ssl one-line recursive'". The output would then have to be parsed to determine if any of the client ssl profiles has "session-ticket" set to "enabled".
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /mgmt/tm/sys/version
    parse:
        type: JSON
        file: rest-mgmt-tm-ltm-profile-client-ssl.parser.1.json.yaml
-   run:
        type: HTTP
        command: /mgmt/tm/ltm/profile/client-ssl
    parse:
        type: JSON
        file: rest-mgmt-tm-ltm-profile-client-ssl.parser.2.json.yaml

f5_ssl_weak_impl

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.f5

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.StateDownTemplateRule
/**
  *
  */
case class f5_ssl_weak_impl() extends StateDownTemplateRule(
  ruleName = "f5_ssl_weak_impl",
  ruleFriendlyName = "F5 Devices: SSL Ticketbleed vulnerability (CVE-2016-9244)",
  ruleDescription = "In February of 2017, F5 users were notified of a new vulnerability in certain versions of BIG-IP. indeni will alert if any devices are vulnerable.",
  metricName = "ssl-weak-impl",
  applicableMetricTag = "profile-name",
  descriptionMetricTag = "type",
  alertIfDown = false,
  alertItemsHeader = "Affected Profiles",
  alertDescription = "This device is vulnerable to CVE-2016-9244, also known as Ticketbleed. Review the affected profiles below.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"https://se.linkedin.com/in/patrik-jonsson-6527932\">Patrik Jonsson</a>.",
  baseRemediationText = "Read https://support.f5.com/csp/article/K05121675")()