Forum Discussion

pingnazer_23602's avatar
pingnazer_23602
Icon for Nimbostratus rankNimbostratus
Jan 22, 2018

Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754

We got a security bulletin from F5 regarding the following issues. Please advise if patching is needed.

 

K91229003: Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754

 

https://support.f5.com/csp/article/K91229003

 

List of firmware running :

 

  • BIG-IP 11.6.0 Build 6.151.442 Engineering Hotfix HF6

     

  • BIG-IP 11.4.0 Build 2401.0 Hotfix HF1

     

  • BIG-IP 11.4.1 Build 608.0 Final

     

  • BIG-IP 11.2.1 Build 862.7 Engineering Hotfix HF2

     

  • BIG-IP 9.1.2 Build 40.2

     

1 Reply

  • Hello,

     

    Currently all SW version are vulnerable, so there is no need to patch :)

     

    But don`t worry about those vulnerabilities because they are almost impossible to be executed externally if you dont share your admin passwords of course :)

     

    "All three vulnerabilities require an attacker capable of providing and running binary code of their choosing on the BIG-IP platform. This raises a high bar for attackers attempting to target BIG-IP systems over a network and would require an additional, un-patched, user-space remote code execution vulnerability to exploit these new issues.

     

    The only Administrative Roles on a BIG-IP system that can run binary code or exploitable analogs, such as JavaScript, are the Administrator, Resource Administrator, Manager, and iRules Manager roles. The Administrator and Resource Administrator users already have nearly complete access to the system and all secrets on the system that are not protected by hardware-based encryption. The Manager and iRules Manager roles have more restricted access to the system but can install new iRulesLX code. A malicious, authorized Manager or iRules Manager could install malicious binary code to exploit these information leaks and gain more privileged access. F5 recommends that you limit access to these roles to only trusted employees."