Multiple vulnerabilities in F5 Networks BIG-IP products



Published: 2019-11-26 | Updated: 2019-12-20
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2019-6664
CVE-2019-6687
CWE-ID CWE-264
CWE-295
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		BIG-IP
Hardware solutions / Firmware

BIG-IP LTM
Hardware solutions / Security hardware applicances

BIG-IP AFM
Hardware solutions / Security hardware applicances

BIG-IP Analytics
Hardware solutions / Security hardware applicances

BIG-IP APM
Hardware solutions / Security hardware applicances

BIG-IP ASM
Hardware solutions / Security hardware applicances

BIG-IP FPS
Hardware solutions / Security hardware applicances

BIG-IP GTM
Hardware solutions / Security hardware applicances

BIG-IP PEM
Hardware solutions / Security hardware applicances

BIG-IP AAM
Hardware solutions / Routers & switches, VoIP, GSM, etc

BIG-IP DNS
Hardware solutions / Routers & switches, VoIP, GSM, etc

BIG-IP Edge Gateway
Hardware solutions / Routers & switches, VoIP, GSM, etc

BIG-IP Link Controller
Hardware solutions / Routers & switches, VoIP, GSM, etc

BIG-IP WebAccelerator
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor F5 Networks

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

Updated 20.12.2019
Added vulnerability #2

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU22977

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-6664

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to otherwise restricted functionality.

The vulnerability exists due to network protections on the management port do not follow current best practices, under certain conditions. The default firewall rules for the management interface are not reliably reinstalled after first boot. As a result, a remote attacker can expose the management interface.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

BIG-IP: 14.1.0 - 15.0.0

BIG-IP LTM: 14.1.0 - 15.0.0

BIG-IP AAM: 14.1.0 - 15.0.0

BIG-IP AFM: 14.1.0 - 15.0.0

BIG-IP Analytics: 14.1.0 - 15.0.0

BIG-IP APM: 14.1.0 - 15.0.0

BIG-IP ASM: 14.1.0 - 15.0.0

BIG-IP DNS: 14.1.0 - 15.0.0

BIG-IP Edge Gateway: 14.1.0 - 15.0.0

BIG-IP FPS: 14.1.0 - 15.0.0

BIG-IP GTM: 14.1.0 - 15.0.0

BIG-IP Link Controller: 14.1.0 - 15.0.0

BIG-IP PEM: 14.1.0 - 15.0.0

BIG-IP WebAccelerator: 14.1.0 - 15.0.0

External links

http://support.f5.com/csp/article/K03126093


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Certificate Validation

EUVDB-ID: #VU23773

Risk: Medium

CVSSv3.1: 6.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-6687

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a man-in-the-middle attack.

The vulnerability exists due to the Cloud Security Services profile uses a built-in verification mechanism that fails to properly authenticate the X.509 certificate of remote endpoints. A remote attacker can perform a man-in-the-middle attack, intercept traffic destined for cloud services and read and modify data that is in transit.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

BIG-IP ASM: 15.0.1

External links

http://support.f5.com/csp/article/K59957337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###