CVE-2017-6168 : On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed

On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server's private key itself, aka a ROBOT attack.

Published 2017-11-17 19:29:00

Updated 2021-09-23 15:58:20

Source F5 Networks

View at NVD, CVE.org

Products affected by CVE-2017-6168

F5 » Big-ip Link Controller
Versions from including (>=) 12.0.0 and up to, including, (<=) 12.1.2
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Link Controller
Versions from including (>=) 11.6.0 and up to, including, (<=) 11.6.2
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Link Controller » Version: 13.0.0
cpe:2.3:a:f5:big-ip_link_controller:13.0.0:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Analytics
Versions from including (>=) 12.0.0 and up to, including, (<=) 12.1.2
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Analytics
Versions from including (>=) 11.6.0 and up to, including, (<=) 11.6.2
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Analytics » Version: 13.0.0
cpe:2.3:a:f5:big-ip_analytics:13.0.0:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Acceleration Manager
Versions from including (>=) 12.0.0 and up to, including, (<=) 12.1.2
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Acceleration Manager
Versions from including (>=) 11.6.0 and up to, including, (<=) 11.6.2
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Acceleration Manager » Version: 13.0.0
cpe:2.3:a:f5:big-ip_application_acceleration_manager:13.0.0:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Ltm
Versions from including (>=) 12.0.0 and up to, including, (<=) 12.1.2
cpe:2.3:a:f5:big-ip_ltm:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Ltm
Versions from including (>=) 11.6.0 and up to, including, (<=) 11.6.2
cpe:2.3:a:f5:big-ip_ltm:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Ltm » Version: 13.0.0
cpe:2.3:a:f5:big-ip_ltm:13.0.0:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Afm
Versions from including (>=) 12.0.0 and up to, including, (<=) 12.1.2
cpe:2.3:a:f5:big-ip_afm:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Afm
Versions from including (>=) 11.6.0 and up to, including, (<=) 11.6.2
cpe:2.3:a:f5:big-ip_afm:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Afm » Version: 13.0.0
cpe:2.3:a:f5:big-ip_afm:13.0.0:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Apm
Versions from including (>=) 11.6.0 and up to, including, (<=) 11.6.2
cpe:2.3:a:f5:big-ip_apm:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Apm
Versions from including (>=) 12.0.0 and up to, including, (<=) 12.1.2
cpe:2.3:a:f5:big-ip_apm:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Apm » Version: 13.0.0
cpe:2.3:a:f5:big-ip_apm:13.0.0:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Asm
Versions from including (>=) 12.0.0 and up to, including, (<=) 12.1.2
cpe:2.3:a:f5:big-ip_asm:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Asm
Versions from including (>=) 11.6.0 and up to, including, (<=) 11.6.2
cpe:2.3:a:f5:big-ip_asm:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Asm » Version: 13.0.0
cpe:2.3:a:f5:big-ip_asm:13.0.0:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Pem
Versions from including (>=) 11.6.0 and up to, including, (<=) 11.6.2
cpe:2.3:a:f5:big-ip_pem:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Pem
Versions from including (>=) 12.0.0 and up to, including, (<=) 12.1.2
cpe:2.3:a:f5:big-ip_pem:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Pem » Version: 13.0.0
cpe:2.3:a:f5:big-ip_pem:13.0.0:*:*:*:*:*:*:*
Matching versions
F5 » Websafe
Versions from including (>=) 12.0.0 and up to, including, (<=) 12.1.2
cpe:2.3:a:f5:websafe:*:*:*:*:*:*:*:*
Matching versions
F5 » Websafe » Version: 13.0.0
cpe:2.3:a:f5:websafe:13.0.0:*:*:*:*:*:*:*
Matching versions
F5 » Websafe » Version: 11.6.2
cpe:2.3:a:f5:websafe:11.6.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-6168

EPSS FAQ

66.43%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 98 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2017-6168

Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5

Disclosure Date: 2009-06-17

First seen: 2020-04-26

auxiliary/scanner/ssl/bleichenbacher_oracle

Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with i

More information

CVSS scores for CVE-2017-6168

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.4	HIGH	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N	2.2	5.2	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2017-6168

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-6168

http://www.securitytracker.com/id/1039839

F5 BIG-IP RSA TLS Implementation Lets Remote Users Decrypt Data Communicated By the Target System - SecurityTracker
Third Party Advisory;VDB Entry
https://www.kb.cert.org/vuls/id/144389

VU#144389 - TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding
Third Party Advisory;US Government Resource

CVEs referencing this url
https://robotattack.org/

The ROBOT Attack - Return of Bleichenbacher's Oracle Threat
Technical Description;Third Party Advisory

CVEs referencing this url
https://support.f5.com/csp/article/K21905460

Issue Tracking;Mitigation;Vendor Advisory
http://www.securityfocus.com/bid/101901

Multiple F5 BIG-IP Products CVE-2017-6168 Information Disclosure Vulnerability
Third Party Advisory;VDB Entry

Jump to