A10 PSIRT Team
June 20, 2018

About A10 PSIRT Team

The A10 SERT Team is A10 Networks' Security Engineering Research Team.

Recent posts by the Author

June 20, 2018

Application Load Balancer with Analytics for AWS GovCloud

A10 announces the immediate availability of its Harmony Controller SaaS with Lightning ADC for AWS GovCloud. A10 was invited to deliver the keynote address at the 9th annual AWS Public Sector Summit, due to our position as the only application delivery SaaS solution for the AWS Public Sector SaaS. AWS GovCloud is the isolated region allowing organizations…

March 12, 2018

5 Ways IoT Threats Can Crumble Your DDoS Defenses

Distributed denial of service (DDoS) attackers have mastered the art of control when it comes to unsecured, connected devices, causing chaos and breeding fear. Weaponizing the Internet of Things (IoT) allows these threat actors to exploit millions of these vulnerable IoT devices to create sophisticated, malware-based DDoS botnets to launch devastating attacks. We call this…

March 7, 2018

Dawn of a New Threat: The IoT DDoS Invasion

The game has changed. Attackers now weaponize connected devices to launch destructive distributed denial-of-service (DDoS) attacks. Massive botnets can be created from these unsecured IoT devices to launch damaging DDoS attacks. A10 calls this phenomenon the DDoS of Things (DDoT). Discover the mass destruction – at scale – in this infographic Connected devices are everywhere…

February 12, 2018

Avoid the SSL Encryption Shadow Monster: A Look at SSL Decryption

Freely Flowing SSL Encrypted Traffic The popular Netflix series “Stranger Things” – with all of its nods to 80’s sci-fi and nostalgia – is based on the premise that there are two parallel realities: the real world and “the upside down” and evil inverted world inhabited by monsters. And while the technology of “Stranger Things” doesn’t stray…

February 9, 2017

HTTPS Interception and the Truth About Thunder SSLi Cipher Support

The A10 Networks Security Engineering Research Team recently reviewed the paper titled, “The Security Impact of HTTPS Interception,” which examines and grades the “security of TLS interception middleboxes,” including A10 Networks Thunder SSL Insight (SSLi). Unfortunately, the authors of the report did not contact us for guidance on the appropriate configuration for their testing requirements.…

September 23, 2016

Patch Available for CVE-2014-8730 Padding Flaw

A10 Thunder ADC appliances running ACOS versions 2.7.2 P3 or earlier are susceptible to a TLS padding attack. The TLS padding flaw, identified as CVE-2014-8730, is a new variant of the POODLE vulnerability disclosed in October. The TLS padding flaw can be exploited remotely, allowing an attacker to decrypt sensitive data in the SSL connection.…

June 10, 2016

CVE-2016-0270 GCM nonce vulnerability

Back in February we were contacted by Hanno Böck who had discovered an issue with how certain devices generate the nonce for AES-GCM and subsequently published a paper on the topic and the bug was assigned CVE-2016-0270. Even though in our case the bug had low severity, we tracked down the source and corrected the…

January 31, 2016

OpenSSL Advisory from 2016-01-28

On January 28th, the OpenSSL project published an advisory which addressed CVE-2016-0701 (DH small subgroups) and CVE-2015-3197 (SSLv2 doesn’t block disabled ciphers). ACOS does not support SSLv2 and it does not support the vulnerable DH groups.

December 10, 2015

OpenSSL Advisory from 2015-12-03

On December 3rd, 2015, OpenSSL released a security advisory covering CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 and CVE-2015-1794 across multiple version of OpenSSL. Out of those ACOS is only affected by CVE-2015-3195 and this is address in this A10 PSIRT advisory.

July 9, 2015

CVE-2015-1793: OpenSSL Alternative chains certificate forgery

On July 9th, OpenSSL released a security advisory containing a single item with "high" severity. This vulnerability was introduced by OpenSSL version 1.0.1n/1.0.1o and 1.0.2b/1.0.2c, which were released on June 11th and 12th respectively. A10 PSIRT investigated the issue and that code base is not in use thus none of our software is vulnerable to…