F5 DROWNing, not waving, in crypto fail

If you're an F5 BIG-IP sysadmin, get patching: there's a bug in the company's RSA implementation that can give an attacker access to encrypted messages.

As the CVE assignment stated: “a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server's private key itself.”

Named after Swiss cryptographer Daniel Bleichenbacher, that attack first emerged in 2006, as outlined in this IETF mailing list post. The attacker can append their own data to a signed hash, so it matches a bogus key the attacker creates.

F5's patch announcement said:

The vulnerable versions of BIG-IP are 11.6.0-11.6.2, 12.0.0-12.1.2 HF1, or 13.0.0-13.0.0 HF2.

Cloudflare's “head crypto boffin” Nick Sullivan was horrified:

As Sullivan noted, DROWN (Decrypting RSA with Obsolete and Weakened Encryption) only worked in systems configured to enable the ancient SSLv2, which persisted in some servers. The server could be tricked into downgrading its crypto to SSLv2.

The F5 vulnerability was discovered by Hanno Bock, Juraj Somorovsky of Ruhr-Universitat Bochum/Hackmanit GmbH, and Craig Young of Tripwire VERT.

An attacker would need to be in a position to capture traffic, F5's advisory stated: “The limited window of opportunity, limitations in bandwidth, and latency make this attack significantly more difficult to execute.” ®