Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

CVE-2014-6321 and F5 SSL Bridging/Offloading

I'm curious if anyone has figured out how the new MS Schannel vulnerability (CVE-2014-6321) affects back end servers with SSL Bridging/Offloading enabled. It doesn't sound like it's an issue with the SSL handshake, but with a special packet. This leads me to believe that even with the BIG-IP terminating SSL that this could still be passed to the back end servers. Thoughts?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Michael,

I've read that there were multiple issues, including certificate validation bypasses and remote code execution. Unless someone releases a Proof of Concept, you can not be certain that SSL Offloading will fix anything.

If the problem arises from being able to influence certain parameters of the connection (like including a cipher suite that somehow overflows a buffer), you can mitigate it with SSL Offloading, but if the problem arises from, for example, being able to craft plaintext data that yields encrypted data that crashes the stack (in light of POODLE for example), SSL Offloading may not provide any mitigation at all.

If you're using the ProxySSL feature, the data you're sending to the server isn't changed at all, so you're inspecting data, but you're not really offloading SSL in a way that there is a different connection on frontend side and backend side, thus possibly not mitigating the issue.

There's a lot of maybe's and probably's in this story, so your best bet is still to upgrade the servers, or calculate the risk and monitor/log all traffic, depending on your company's security-enforcement policies.

Kind regards,

Thomas Schockaert

0
Comments on this Answer
Comment made 13-Nov-2014 by Riaz 6
Hi Thomas, Is it also applicable to Vulnerability in Schannel that Could Allow Remote Code Execution. https://technet.microsoft.com/library/security/ms14-066 Regards,
0
Comment made 13-Nov-2014 by Riaz 6
Got it...They are the same thing. Thanks Michael for asking teh question :)
0