SB2020042408 - Multiple vulnerabilities in F5 BIG-IQ Centralized Management

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper Certificate Validation (CVE-ID: CVE-2020-5869)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a man-in-the-middle (MitM) attack.

The vulnerability exists due to the IG-IQ high availability (HA) synchronization is not secure by TLS. A remote attacker can perform a MitM attack and read or modify confidential data in transit.

2) Improper Authentication (CVE-ID: CVE-2020-5870)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the BIG-IQ high availability (HA) synchronization mechanisms do not use any form of authentication for connecting to the peer. A remote attacker on the local network can establish a connection to the BIG-IQ HA synchronization and compromise data.

Remediation

Install update from vendor's website.

References

• https://support.f5.com/csp/article/K28855111
• https://support.f5.com/csp/article/K69422435