F5常见漏洞处理

首页 / 🍁F5 / 正文

一、CVE-2016-2183

1、管理接口漏洞

(1) 获取管理地址支持的密码套件

[root@localdns3:Active:Standalone] config # tmsh list sys httpd ssl-ciphersuite
sys httpd {
    ssl-ciphersuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256
}

(2)在所支持的密码套件中禁用 3DES 密码,在上一步输出的密码套件后加 :!3DES

[root@localdns3:Active:Standalone] config # tmsh modify sys httpd ssl-ciphersuite "ssl-ciphersuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:!3DES"

(3)修改ssl协议,禁用低版本ssl协议

[root@localdns3:Active:Standalone] config # tmsh modify sys httpd ssl-protocol "all -SSLv2 -SSLv3 -TLS v1"

(4)保存配置

[root@localdns3:Active:Standalone] config # tmsh save sys config

2、业务端口漏洞

(1)查看 ssl profile 证书密码套件

[root@localhost:Active:Standalone] config # tmsh list ltm profile client-ssl test_clientssl ciphers 
ltm profile client-ssl test_clientssl {
    ciphers DEFAULT
}

(2)修改 ssl profile ,在所支持的密码套件中禁用 3DES 密码,在上一步输出的密码套件后加 :!3DES 。

[root@localhost:Active:Standalone] config # tmsh modify ltm profile client-ssl test_clientssl ciphers "DEFAULT:!3DES"

(3)保存配置

[root@localdns3:Active:Standalone] config # tmsh save sys config

3、相关官方文档

https://support.f5.com/csp/article/K13167034

二、SSL/TLS 服务器瞬时 Diffie-Hellman 公共密钥过弱

(1)查看 ssl profile 证书密码套件

[root@localhost:Active:Standalone] config # tmsh list ltm profile client-ssl test_clientssl ciphers 
ltm profile client-ssl test_clientssl {
    ciphers DEFAULT
}

(2)修改 ssl profile ,在所支持的密码套件中禁用 DHE 密码,在上一步输出的密码套件后加 :!DHE 。

[root@localhost:Active:Standalone] config # tmsh modify ltm profile client-ssl test_clientssl ciphers "DEFAULT:!DHE"

(3)保存配置

[root@localdns3:Active:Standalone] config # tmsh save sys config
打赏
文章目录