Multiple vulnerabilities in F5 BIG-IQ Centralized Management

Published: 2020-04-24

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2020-5869 CVE-2020-5870
CWE-ID	CWE-295 CWE-287
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	BIG-IQ Centralized Management Server applications / Remote management servers, RDP, SSH
Vendor	F5 Networks

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper Certificate Validation

EUVDB-ID: #VU27304

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5869

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a man-in-the-middle (MitM) attack.

The vulnerability exists due to the IG-IQ high availability (HA) synchronization is not secure by TLS. A remote attacker can perform a MitM attack and read or modify confidential data in transit.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

BIG-IQ Centralized Management: 5.2.0 - 7.0.0

External links

http://support.f5.com/csp/article/K28855111

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Authentication

EUVDB-ID: #VU27305

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5870

CWE-ID: CWE-287 - Improper Authentication