In versions 13.0.0-13.0.0 HF2, 12.1.0-12.1.2 HF1, and 11.6.1-11.6.2, BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a Virtual Server configured with a Client SSL profile, and using Anonymous (ADH) or Ephemeral (DHE) Diffie-Hellman key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/TLS Handshakes that may result with a PMS (Pre-Master Secret) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Similar error messages when PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability.
Attack Vector Network
Attack Complexity High
Privileges Required None
Scope Unchanged
Confidentiality Impact High
Integrity Impact None
Availability Impact None
User Interaction None
No CVSS v3.0
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None
AV:N/AC:H/Au:N/C:P/I:N/A:N
Vendors | Products |
---|---|
F5 |
|
Configuration 1 [-]
|
References
Link | Resource |
---|---|
https://support.f5.com/csp/article/K91158923 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: f5
Published: 2020-09-25T13:22:47
Updated: 2020-09-25T13:22:47
Reserved: 2020-01-06T00:00:00
Link: CVE-2020-5929
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-09-25T14:15:13.970
Modified: 2021-07-21T11:39:23.747
Link: CVE-2020-5929
JSON object: View
Redhat Information
No data.
CWE