==========================
==========================
===================

                           CERT-Renater

               Note d'Information No. 2013/VULN371
_____________________________________________________________________

DATE                : 29/08/2013

HARDWARE PLATFORM(S): F5 devices.

OPERATING SYSTEM(S): F5 products software.

==========================
==========================
====================
http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14638.html
______________________________________________________________________

sol14638: TLS/SSL RC4 vulnerability - CVE-2013-2566

Security Advisory

Original Publication Date: 08/27/2013

Description

The RC4 algorithm used by the TLS protocol and SSL protocol has
single-byte biases, which makes it easier for remote attackers to
conduct plaintext-recovery attacks using statistical analysis of
ciphertext in a large number of sessions that use the same plaintext.


Impact

Remote attackers may be able to conduct plaintext-recovery attacks
using statistical analysis of ciphertext.


Status

F5 Product Development has assigned ID 428433 to this vulnerability.

To determine if your release is known to be vulnerable, the components
or features that are affected by the vulnerability, and for information
about releases or hotfixes that address the vulnerability, refer to the
following table:

Product Versions known to  Versions known to  	Vulnerable component
	be vulnerable	   be not vulnerable	     or feature

BIG-IP LTM 	9.0.0 - 9.6.1		None	Configuration utility
		10.0.0 - 10.2.4			SSL virtual servers
		11.0.0 - 11.4.0

BIG-IP AAM 	11.4.0 			None 	Configuration utility
						SSL virtual servers

BIG-IP AFM 	11.3.0 - 11.4.0 	None	Configuration utility
						SSL virtual servers

BIG-IP  	11.0.0 - 11.4.0 	None 	Configuration utility
Analytics					SSL virtual servers

BIG-IP APM 	10.1.0 - 10.2.4 	None	Configuration utility
		11.0.0 - 11.4.0			SSL virtual servers

BIG-IP ASM 	9.2.0 - 9.4.8		None	Configuration utility
		10.0.0 - 10.2.4			SSL virtual servers
		11.0.0 - 11.4.0 	

BIG-IP 		10.1.0 - 10.2.4		None 	Configuration utility
Edge Gateway	11.0.0 - 11.4.0 		SSL virtual servers

BIG-IP GTM 	9.2.2 - 9.4.8		None	Configuration utility
		10.0.0 - 10.2.4
		11.0.0 - 11.4.0 	

BIG-IP Link  	9.2.2 - 9.4.8		None	Configuration utility
Controller	10.0.0 - 10.2.4			SSL virtual servers
		11.0.0 - 11.4.0
	
BIG-IP PEM 	11.3.0 - 11.4.0		None	Configuration utility
						SSL virtual servers

BIG-IP PSM 	9.4.5 - 9.4.8		None	Configuration utility
		10.0.0 - 10.2.4			SSL virtual servers
		11.0.0 - 11.4.0 	

BIG-IP		9.4.0 - 9.4.8 		None	Configuration utility
WebAccelerator 	10.0.0 - 10.2.4			SSL virtual servers
		11.0.0 - 11.3.0

BIG-IP WOM 	10.0.0 - 10.2.4		None	Configuration utility
		11.0.0 - 11.3.0 		SSL virtual servers

ARX	 	5.0.0 - 5.3.1		None 	ARX Manager GUI
		6.0.0 - 6.4.0 		       API (disabled by default)

Enterprise 	1.6.0 - 1.8.0		None	Configuration utility
Manager		2.0.0 - 2.3.0
		3.0.0 - 3.1.1 	

FirePass 	6.0.0 - 6.1.0		None	Administrative interface
		7.0.0 						WebServices

BIG-IQ Cloud 	4.0.0 - 4.1.0		None	Configuration utility
	
	
BIG-IQ 		4.0.0 - 4.1.0		None	Configuration utility
Security 	


Recommended action

This TLS/SSL vulnerability constitutes an inherent flaw in the RC4 cipher=
.
While it is possible to mitigate this vulnerability by disabling the RC4
cipher for the vulnerable component/feature, administrators were advised
to use the RC4 cipher to mitigate other vulnerabilities, such as the
BEAST and Lucky 13 attacks.

For more information about the various TLS protocol level attacks, and
F5 recommendations for mitigating the attacks, refer to the following
DevCentral article:

Which TLS algorithm should I use?

Note: A separate DevCentral login is required to access this content;
you will be redirected to authenticate or register (if necessary).

Supplemental Information

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566

    Note: This link will take you to a resource outside of AskF5, and
    it is possible that the document may be removed without our
    knowledge.
    SOL8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL
    profiles
    SOL13171: Configuring the cipher strength for SSL profiles (11.x)
    SOL7815: Configuring the cipher strength for SSL profiles (9.x -
     10.x)
    SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)
    SOL11444: SSL ciphers supported on BIG-IP platforms (10.x)
    SOL13156: SSL ciphers used in the default SSL profiles (11.x)
    SOL10262: SSL ciphers used in the default SSL profiles (10.x)
    SOL9677: BIG-IP LTM compliance with standard FIPS-197
    SOL9970: Subscribing to email notifications regarding F5 products
    SOL4602: Overview of the F5 security vulnerability response policy
    SOL9970: Subscribing to email notifications regarding F5 products


==========================
==========================
====================

==========================
==========================
=======
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================
==========================
========
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================
==========================
========