SSL irregularities in 10.2.4/11.4.1 LTMs. Vulnerable to Heartbleed or not?
So our network security team regularly sweeps our network looking for unpatched issues, and this week we recieved a whole pile of alerts about our LTMs and GTMs for the Heartbleed vulnerability on port 4353/tcp. I was under the impression (from testing them myself, from logging into the boxes and personally eyeballing the openssl versions from the inside, and from F5's pronouncements on the matter) that these boxes were supposed to be not vulnerable, primarily because the OpenSSL build in play did not yet even understand the TLS heartbeat extension. Very curious.
Apparently this may not be entirely correct. Looking more closely at this particular port (apparently used so the LTMs and GTMs can all find each other readily) it's apparently bound by the big3d binary--which is statically linked and stripped and could very well have been compiled against a vulnerable version of OpenSSL. This is more than just speculation as directly querying the port with OpenSSL from the command line shows the following:
$ openssl s_client -connect some.random.ltm.we.have:4353 -tlsextdebug
CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0001 -
TLS server extension "session ticket" (id=35), len=0
**TLS server extension "heartbeat" (id=15), len=1**
0000 - 01
(server summarily hangs up after issuing the certificate)
Seeing as how there isn't a version of OpenSSL prior to 1.0.1g that understood the TLS heartbeat extention and wasn't using the flawed code, I suspect we might have a problem with equipment being vulnerable after people have been told it wasn't. Has anyone addressed this directly with F5 yet?