Sign in / up

back to article F5 DROWNing, not waving, in crypto fail

If you're an F5 BIG-IP sysadmin, get patching: there's a bug in the company's RSA implementation that can give an attacker access to encrypted messages. As the CVE assignment stated: “a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. John Smith 19 Gold badge
    Gimp

    But note "Significantly more difficult" does not mean impossible

    Especially with state actors.

    6 1 Reply
  2. Sir Runcible Spoon
    Paris Hilton

    Eh?

    "(Decrypting RSA with Obsolete and Weakened Encryption)"

    Surely that would be DROWE then?

    0 0 Reply
    1. NoneTheFewer
      Reply Icon

      Re: Eh?

      DR SAOWE!

      2 0 Reply
    2. Deltics
      Reply Icon
      Boffin

      Re: Eh?

      Encryption -> "En..." -> N

      As in "Dee Are Oh Double-You En"

      Unless you spell out DROWN as "Duh Ruh O Wuh Nuh". :)

      2 0 Reply
      1. Sir Runcible Spoon
        Reply Icon
        Joke

        Re: Eh?

        I see what you are saying Deltics (and I understand that some acronyms borrow letters from a word subsequent to the first) but it still doesn't make any sense.

        Also, it was just a joke :P

        0 0 Reply
  3. teknopaul

    Did I miss something, seems like an F5 misconfigured to permit downgrade attacks is vulnerable to downgrade attacks.

    1 0 Reply
    1. EnviableOne
      Reply Icon

      Nah just the BIG-IP with big Intelectual Property holes in it again

      1 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    Cloudflare's statement is incorrect

    The RSA key is NEVER in danger of being exposed here. The easiest fix is to use ECDHE:DHE instead of RSA for key exchanges. “DEFAULT:!RSA” or “ECDHE:DHE” makes this a non-issue.

    0 1 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like