Show vulnerabilities with patch / with exploit

Improper access control in F5 BIG-IP ASM and BIG-IQ/Enterprise Manager/F5 iWorkflow



Published: 2019-11-29
Severity Medium
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2019-6665
CWE ID CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
BIG-IQ Centralized Management
Server applications / Remote management servers, RDP, SSH

F5 iWorkflow
Server applications / Remote management servers, RDP, SSH

Enterprise Manager
Client/Desktop applications / Other client software

BIG-IP ASM
Hardware solutions / Security hardware applicances

Vendor F5 Networks, Inc.

Security Advisory

This security advisory describes one medium risk vulnerability.

1) Improper access control

Severity: Medium

CVSSv3: 6.7 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-6665

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker with access to the device communication between the BIG-IP ASM Central Policy Builder and the BIG-IQ/Enterprise Manager/F5 iWorkflow can set up the proxy the same way and intercept the traffic.

This may lead to incorrect policy building suggestions or a partial denial-of-service (DoS).

Mitigation

Install updates from vendor's website.

Vulnerable software versions

BIG-IQ Centralized Management: 5.2.0, 5.3.0, 5.4.0, 6.0.0

F5 iWorkflow: 2.3.0

Enterprise Manager: 3.1.1

BIG-IP ASM: 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.6, 13.1.0.8, 13.1.1, 13.1.1.5, 13.1.3, 13.1.3.1, 14.0.0, 14.0.1, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 15.0.1

CPE External links

https://support.f5.com/csp/article/K26462555

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.