Vulnerability Name:

CVE-2017-6168 (CCN-135008)

Assigned:2017-11-17
Published:2017-11-17
Updated:2021-09-23
Summary:On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server's private key itself, aka a ROBOT attack.
CVSS v3 Severity:7.4 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
6.4 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
9.1 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
7.9 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
9.4 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-203
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2017-6168

Source: CCN
Type: IBM Security Bulletin 2015061 (Sterling B2B Integrator)
IBM Sterling B2B Integrator is Vulnerable to a Robot Security Vulnerability (CVE-2017-6168)

Source: CCN
Type: IBM Security Bulletin 2015539 (PredictiveInsight)
Multiple Security Vulnerabilities Impact IBM Predictive Insights

Source: CCN
Type: US-CERT VU#144389
TLS implementations may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding

Source: BID
Type: Third Party Advisory, VDB Entry
101901

Source: CCN
Type: BID-101901
Multiple F5 BIG-IP Products CVE-2017-6168 Information Disclosure Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1039839

Source: XF
Type: UNKNOWN
f5-bigip-cve20176168-info-disc(135008)

Source: CCN
Type: Robot Attack Web site
The ROBOT Attack

Source: MISC
Type: Technical Description, Third Party Advisory
https://robotattack.org/

Source: CCN
Type: F5 Security Advisory K21905460
BIG-IP SSL vulnerability CVE-2017-6168

Source: CONFIRM
Type: Issue Tracking, Mitigation, Vendor Advisory
https://support.f5.com/csp/article/K21905460

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#144389

Vulnerable Configuration:Configuration 1:
  • cpe:/a:f5:big-ip_ltm:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_local_traffic_manager:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_ltm:*:*:*:*:*:*:*:* (Version >= 11.6.0 and <= 11.6.2)

  • Configuration 2:
  • cpe:/a:f5:big-ip_application_acceleration_manager:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 11.6.0 and <= 11.6.2)

  • Configuration 3:
  • cpe:/a:f5:big-ip_afm:*:*:*:*:*:*:*:* (Version >= 11.6.0 and <= 11.6.2)
  • OR cpe:/a:f5:big-ip_afm:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_afm:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)

  • Configuration 4:
  • cpe:/a:f5:big-ip_analytics:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 11.6.0 and <= 11.6.2)

  • Configuration 5:
  • cpe:/a:f5:big-ip_apm:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_apm:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_apm:*:*:*:*:*:*:*:* (Version >= 11.6.0 and <= 11.6.2)

  • Configuration 6:
  • cpe:/a:f5:big-ip_asm:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_asm:*:*:*:*:*:*:*:* (Version >= 11.6.0 and <= 11.6.2)
  • OR cpe:/a:f5:big-ip_asm:13.0.0:*:*:*:*:*:*:*

  • Configuration 7:
  • cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 11.6.0 and <= 11.6.2)
  • OR cpe:/a:f5:big-ip_link_controller:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)

  • Configuration 8:
  • cpe:/a:f5:big-ip_pem:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_pem:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_pem:*:*:*:*:*:*:*:* (Version >= 11.6.0 and <= 11.6.2)

  • Configuration 9:
  • cpe:/a:f5:websafe:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:websafe:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:websafe:11.6.2:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:f5:big-ip_local_traffic_manager:11.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:11.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_local_traffic_manager:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_application_acceleration_manager:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_afm:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_analytics:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_asm:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_dns:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_link_controller:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_pem:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_websafe:13.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_local_traffic_manager:12.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:12.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_link_controller:12.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_websafe:12.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_analytics:12.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_dns:12.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_local_traffic_manager:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_analytics:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_dns:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_global_traffic_manager:11.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_link_controller:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_pem:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_websafe:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_local_traffic_manager:11.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_analytics:11.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_access_policy_manager:11.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_global_traffic_manager:11.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_link_controller:11.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_pem:11.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_analytics:11.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_link_controller:11.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_pem:11.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:f5:big-ip_websafe:11.6.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:sterling_b2b_integrator:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.5:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    f5 big-ip ltm *
    f5 big-ip ltm 13.0.0
    f5 big-ip ltm *
    f5 big-ip application acceleration manager 13.0.0
    f5 big-ip application acceleration manager *
    f5 big-ip application acceleration manager *
    f5 big-ip afm *
    f5 big-ip afm 13.0.0
    f5 big-ip afm *
    f5 big-ip analytics 13.0.0
    f5 big-ip analytics *
    f5 big-ip analytics *
    f5 big-ip apm *
    f5 big-ip apm 13.0.0
    f5 big-ip apm *
    f5 big-ip asm *
    f5 big-ip asm *
    f5 big-ip asm 13.0.0
    f5 big-ip link controller *
    f5 big-ip link controller 13.0.0
    f5 big-ip link controller *
    f5 big-ip pem 13.0.0
    f5 big-ip pem *
    f5 big-ip pem *
    f5 websafe 13.0.0
    f5 websafe *
    f5 websafe 11.6.2
    f5 big-ip local traffic manager 11.6.0
    f5 big-ip access policy manager 11.6.0
    f5 big-ip local traffic manager 13.0.0
    f5 big-ip aam 13.0.0
    f5 big-ip afm 13.0.0
    f5 big-ip analytics 13.0.0
    f5 big-ip access policy manager 13.0.0
    f5 big-ip asm 13.0.0
    f5 big-ip dns 13.0.0
    f5 big-ip link controller 13.0.0
    f5 big-ip pem 13.0.0
    f5 big-ip websafe 13.0.0
    f5 big-ip local traffic manager 12.1.2
    f5 big-ip access policy manager 12.1.2
    f5 big-ip link controller 12.1.2
    f5 big-ip websafe 12.1.2
    f5 big-ip analytics 12.1.2
    f5 big-ip dns 12.1.2
    f5 big-ip local traffic manager 12.0.0
    f5 big-ip analytics 12.0.0
    f5 big-ip access policy manager 12.0.0
    f5 big-ip dns 12.0.0
    f5 big-ip global traffic manager 11.6.0
    f5 big-ip link controller 12.0.0
    f5 big-ip pem 12.0.0
    f5 big-ip websafe 12.0.0
    f5 big-ip local traffic manager 11.6.2
    f5 big-ip analytics 11.6.2
    f5 big-ip access policy manager 11.6.2
    f5 big-ip global traffic manager 11.6.2
    f5 big-ip link controller 11.6.2
    f5 big-ip pem 11.6.2
    f5 big-ip analytics 11.6.0
    f5 big-ip link controller 11.6.0
    f5 big-ip pem 11.6.0
    f5 big-ip websafe 11.6.0
    ibm sterling b2b integrator 5.2
    ibm sterling b2b integrator 5.2.4
    ibm sterling b2b integrator 5.2.1
    ibm sterling b2b integrator 5.2.2
    ibm sterling b2b integrator 5.2.3
    ibm sterling b2b integrator 5.2.5