NimbostratusI'm curious if anyone has figured out how the new MS Schannel vulnerability (CVE-2014-6321) affects back end servers with SSL Bridging/Offloading enabled. It doesn't sound like it's an issue with the SSL handshake, but with a special packet. This leads me to believe that even with the BIG-IP terminating SSL that this could still be passed to the back end servers. Thoughts?
AltocumulusHi Michael,
I've read that there were multiple issues, including certificate validation bypasses and remote code execution. Unless someone releases a Proof of Concept, you can not be certain that SSL Offloading will fix anything.
If the problem arises from being able to influence certain parameters of the connection (like including a cipher suite that somehow overflows a buffer), you can mitigate it with SSL Offloading, but if the problem arises from, for example, being able to craft plaintext data that yields encrypted data that crashes the stack (in light of POODLE for example), SSL Offloading may not provide any mitigation at all.
If you're using the ProxySSL feature, the data you're sending to the server isn't changed at all, so you're inspecting data, but you're not really offloading SSL in a way that there is a different connection on frontend side and backend side, thus possibly not mitigating the issue.
There's a lot of maybe's and probably's in this story, so your best bet is still to upgrade the servers, or calculate the risk and monitor/log all traffic, depending on your company's security-enforcement policies.
Kind regards,
Thomas Schockaert