This article is more than 1 year old
F5 DROWNing, not waving, in crypto fail
Bleichenbacher, the name that always chills cryptographers' blood
If you're an F5 BIG-IP sysadmin, get patching: there's a bug in the company's RSA implementation that can give an attacker access to encrypted messages.
As the CVE assignment stated: “a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server's private key itself.”
Named after Swiss cryptographer Daniel Bleichenbacher, that attack first emerged in 2006, as outlined in this IETF mailing list post. The attacker can append their own data to a signed hash, so it matches a bogus key the attacker creates.
F5's patch announcement said:
Exploiting this vulnerability to perform plaintext recovery of encrypted messages will, in most practical cases, allow an attacker to read the plaintext only after the session has completed. Only TLS sessions established using RSA key exchange are vulnerable to this attack.”
The vulnerable versions of BIG-IP are 11.6.0-11.6.2, 12.0.0-12.1.2 HF1, or 13.0.0-13.0.0 HF2.
Cloudflare's “head crypto boffin” Nick Sullivan was horrified:
It’s hard to overstate how bad this F5 bug is. It’s basically DROWN without needing SSLv2. If you have a vulnerable F5, anyone can sign things with your RSA private key. Bleichenbacher strikes again. https://t.co/sIdpsA3w5I— Nick Sullivan (@grittygrease) November 18, 2017
As Sullivan noted, DROWN (Decrypting RSA with Obsolete and Weakened Encryption) only worked in systems configured to enable the ancient SSLv2, which persisted in some servers. The server could be tricked into downgrading its crypto to SSLv2.
The F5 vulnerability was discovered by Hanno Bock, Juraj Somorovsky of Ruhr-Universitat Bochum/Hackmanit GmbH, and Craig Young of Tripwire VERT.
An attacker would need to be in a position to capture traffic, F5's advisory stated: “The limited window of opportunity, limitations in bandwidth, and latency make this attack significantly more difficult to execute.” ®