Race condition in F5 Networks products - CVE-2016-9256
Published: May 12, 2017
Vulnerability identifier: #VU6527
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-9256
CWE-ID: CWE-362
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: F5 Networks
Affected software:
BIG-IP AAM
BIG-IP DNS
BIG-IP Link Controller
BIG-IP AFM
BIG-IP Analytics
BIG-IP APM
BIG-IP ASM
BIG-IP LTM
BIG-IP PEM
BIG-IP WebSafe
BIG-IP AAM
BIG-IP DNS
BIG-IP Link Controller
BIG-IP AFM
BIG-IP Analytics
BIG-IP APM
BIG-IP ASM
BIG-IP LTM
BIG-IP PEM
BIG-IP WebSafe
Detailed vulnerability description
The vulnerability allows a remote authenticated user to gain elevated privileges on the target system.
The weakness exists due to race condition during the enforcement of permissions by the iControl component when permissions are assigned to a user and the role_map feature is not reloaded between the time permissions are changed and the user's next change request. A remote attacker can gain elevated privileges and conduct further attacks.
Successful exploitation of the vulnerability may result in access to the system.
The weakness exists due to race condition during the enforcement of permissions by the iControl component when permissions are assigned to a user and the role_map feature is not reloaded between the time permissions are changed and the user's next change request. A remote attacker can gain elevated privileges and conduct further attacks.
Successful exploitation of the vulnerability may result in access to the system.
How to mitigate CVE-2016-9256
Install update from vendor's website.