#VU6527 Race condition in F5 Networks products - CVE-2016-9256
Published: May 12, 2017
Vulnerability identifier: #VU6527
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-9256
CWE-ID: CWE-362
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
BIG-IP AAM
BIG-IP DNS
BIG-IP Link Controller
BIG-IP AFM
BIG-IP Analytics
BIG-IP APM
BIG-IP ASM
BIG-IP LTM
BIG-IP PEM
BIG-IP WebSafe
BIG-IP AAM
BIG-IP DNS
BIG-IP Link Controller
BIG-IP AFM
BIG-IP Analytics
BIG-IP APM
BIG-IP ASM
BIG-IP LTM
BIG-IP PEM
BIG-IP WebSafe
Software vendor:
F5 Networks
F5 Networks
Description
The vulnerability allows a remote authenticated user to gain elevated privileges on the target system.
The weakness exists due to race condition during the enforcement of permissions by the iControl component when permissions are assigned to a user and the role_map feature is not reloaded between the time permissions are changed and the user's next change request. A remote attacker can gain elevated privileges and conduct further attacks.
Successful exploitation of the vulnerability may result in access to the system.
The weakness exists due to race condition during the enforcement of permissions by the iControl component when permissions are assigned to a user and the role_map feature is not reloaded between the time permissions are changed and the user's next change request. A remote attacker can gain elevated privileges and conduct further attacks.
Successful exploitation of the vulnerability may result in access to the system.
Remediation
Install update from vendor's website.