Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU22977
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-6664
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to otherwise restricted functionality.
The vulnerability exists due to network protections on the management port do not follow current best practices, under certain conditions. The default firewall rules for the management interface are not reliably reinstalled after first boot. As a result, a remote attacker can expose the management interface.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBIG-IP: 14.1.0 - 15.0.0
BIG-IP LTM: 14.1.0 - 15.0.0
BIG-IP AAM: 14.1.0 - 15.0.0
BIG-IP AFM: 14.1.0 - 15.0.0
BIG-IP Analytics: 14.1.0 - 15.0.0
BIG-IP APM: 14.1.0 - 15.0.0
BIG-IP ASM: 14.1.0 - 15.0.0
BIG-IP DNS: 14.1.0 - 15.0.0
BIG-IP Edge Gateway: 14.1.0 - 15.0.0
BIG-IP FPS: 14.1.0 - 15.0.0
BIG-IP GTM: 14.1.0 - 15.0.0
BIG-IP Link Controller: 14.1.0 - 15.0.0
BIG-IP PEM: 14.1.0 - 15.0.0
BIG-IP WebAccelerator: 14.1.0 - 15.0.0
External linkshttp://support.f5.com/csp/article/K03126093
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU23773
Risk: Medium
CVSSv3.1: 6.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-6687
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a man-in-the-middle attack.
The vulnerability exists due to the Cloud Security Services profile uses a built-in verification mechanism that fails to properly authenticate the X.509 certificate of remote endpoints. A remote attacker can perform a man-in-the-middle attack, intercept traffic destined for cloud services and read and modify data that is in transit.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBIG-IP ASM: 15.0.1
External linkshttp://support.f5.com/csp/article/K59957337
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.