Improper access control in F5 BIG-IP ASM and BIG-IQ/Enterprise Manager/F5 iWorkflow

1) Improper access control

EUVDB-ID: #VU23091

Risk: Medium

CVSSv4.0: 7.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-6665

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker with access to the device communication between the BIG-IP ASM Central Policy Builder and the BIG-IQ/Enterprise Manager/F5 iWorkflow can set up the proxy the same way and intercept the traffic.

This may lead to incorrect policy building suggestions or a partial denial-of-service (DoS).

Mitigation

Install updates from vendor's website.

Vulnerable software versions

BIG-IQ Centralized Management: 5.2.0 - 6.0.0

F5 iWorkflow: 2.3.0

Enterprise Manager: 3.1.1

BIG-IP ASM: 13.1.0 - 15.0.1

CPE2.3

• cpe:2.3:a:f5_networks:big-iq:5.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:f5_networks:big-iq:5.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:f5_networks:big-iq:5.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:f5_networks:iworkflow:2.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:f5_networks:enterprise_manager:3.1.1:*:*:*:*:*:*:*
• cpe:2.3:h:f5_networks:big-ip_asm:13.1.0:*:*:*:*:*:*:*
• cpe:2.3:h:f5_networks:big-ip_asm:13.1.0.1:*:*:*:*:*:*:*
• cpe:2.3:h:f5_networks:big-ip_asm:13.1.0.2:*:*:*:*:*:*:*

External links

https://support.f5.com/csp/article/K26462555

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.