9월 6일자로 SSL/TLS ADH/DHE 취약점이 발견되었습니다.

참조: https://blog.alyac.co.kr/3248

아래 내용 참조 부탁 드리고 13버전 이하 버전에서는 OS업그레이드를 권장 드립니다.

 

1. 취약점 내용

  • Cavium Nitrox SSL하드웨어 가속 카드, 클라이언트 SSL프로필로 구성된 Virtual Server, ADH(익명 Diffie-Hellman) 또는 DHE (EphemeralDiffie-Hellman) 키 교환 및 

     Single DH (Single Diffie-Hellman) 사용 옵션을 사용하는 BIG-IP플랫폼은 조작된 TLS(Transport Layer)보안 핸드 셰이크에 취약할 수 있습니다.

 

아래 조건 들에서 이슈가 발생될 수 있습니다.

1. 클라이언트 SSL 프로필에서 ADH 또는 DHE 키 교환을 사용하고 경우 (참고: DHE는 DEFAULT Cipher Suite에서 활성화 되어 있으며 ADH는 DEFAULT Cipher Suite에서 비활성화 되어 있음.)

2. 클라이언트 SSL 프로필에서 Single Diffie-Hellman use 옵션 또는 Single DH use 옵션을 활성화하지 않은 경우 (참고 : Single DH 사용 옵션은 클라이언트 SSL 프로필 옵션 목록에서 기본적으로 활성화되어 있지 않습니다.)

* Single DH use: This option creates a new key when using ephemeral (temporary) Diffie-Hellman parameters.

3. Cavium Nitrox SSL하드웨어 가속 카드가 설치되어 있는 플랫폼

  1. BIG-IP i11400-DS, i11600-DS, i11800-DS
  2. BIG-IP 1600, 3600, 3900, 5000, 6900, 7000, 8900, 10000, 11000, 12000
  3. VIPRION 2100, 2150, 2250, 4100, 4200, 4300

 

3. 소프트웨어 취약버전 

 

완화 방안

  • 권고 설정: Single DH enable, ADH disable (기본으로 enable 되어 있지 않음), DHE disable (기본으로 enable되어 있음), Unclean Shutdown disable (SSL 비정상 종료 시 SSL close notify alert 메시지 없이 TCP커넥션 종료)
  1. Log in to the Configuration utility.
  2. Go to Local Traffic > Profiles > SSL > Client.
  3. Select the Client SSL profile.
  4. In the Configuration list, select Advanced
  5. In the Options section, in the list, select Options List.
  6. In the Options List section, under Available Options, select Single DH use, and then select Enable.

The Single DH Use option displays under Enabled Options.

  1. In Ciphers, in the text box, enter a cipher string that disables ADH or DHE, such as the following example:

!DHE:!ADH:ALL

  1. In Unclean Shutdown, select Enabled.
  2. At the bottom of the page, select Update.

 

위 내용은 https://support.f5.com/csp/article/K91158923 로  확인하실 수 있습니다.