Denial of service in F5 BIG-IP

1) Denial of service

EUVDB-ID: #VU6531

Risk: Low

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-9250

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated user to delete files on the target system.

The weakness exists due to insufficient security controls imposed by the management control plane component of the affected software. A remote attacker can use undisclosed measures through the Web Configuration Utility, iControl REST, or iControl SOAP, delete arbitrary files through an undisclosed mechanism and cause the application to crash.

Successful exploitation of the vulnerability may result in denial of service.

Mitigation

Update to version 12.1.2 HF1 or 13.0.0.

Vulnerable software versions

BIG-IP AAM: 11.4.0 - 12.1.2

BIG-IP AFM: 11.6.1 - 12.1.2

BIG-IP Analytics: 12.0.0 - 12.1.2

BIG-IP APM: 11.6.1 - 12.1.2

BIG-IP ASM: 11.6.1 - 12.1.2

BIG-IP DNS: 12.0.0 - 12.1.2

BIG-IP Link Controller: 12.0.0 - 12.1.2

BIG-IP LTM: 11.2.1 - 12.1.2

BIG-IP PEM: 11.6.1 - 12.1.2

BIG-IP WebSafe: 12.0 - 12.1.2

BIG-IP GTM: 11.6.1 - 11.6.1 HF1

External links

http://support.f5.com/csp/article/K55792317

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.