SB2018122706 - Multiple vulnerabilities in F5 BIG-IP

Description

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2018-15334)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim into visiting a specially crafted web page and force an APM webtop session to log out and require re-authentication.

2) Information disclosure (CVE-ID: CVE-2018-15333)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to unrestricted Snapshot File Access. A BIG-IP system's user with any role, including Guest Role can gain access and download previously generated and available snapshot files on the BIG-IP configuration utility such as QKView and TCPDumps.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://support.f5.com/csp/article/K74114570
• https://support.f5.com/csp/article/K53620021