Denial of service in F5 Networks products - CVE-2016-9250
Published: May 12, 2017
Vulnerability identifier: #VU6531
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-9250
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
BIG-IP AAM
BIG-IP DNS
BIG-IP Link Controller
BIG-IP AFM
BIG-IP Analytics
BIG-IP APM
BIG-IP ASM
BIG-IP LTM
BIG-IP PEM
BIG-IP GTM
BIG-IP WebSafe
BIG-IP AAM
BIG-IP DNS
BIG-IP Link Controller
BIG-IP AFM
BIG-IP Analytics
BIG-IP APM
BIG-IP ASM
BIG-IP LTM
BIG-IP PEM
BIG-IP GTM
BIG-IP WebSafe
Software vendor:
F5 Networks
F5 Networks
Description
The vulnerability allows a remote unauthenticated user to delete files on the target system.
The weakness exists due to insufficient security controls imposed by the management control plane component of the affected software. A remote attacker can use undisclosed measures through the Web Configuration Utility, iControl REST, or iControl SOAP, delete arbitrary files through an undisclosed mechanism and cause the application to crash.
Successful exploitation of the vulnerability may result in denial of service.
The weakness exists due to insufficient security controls imposed by the management control plane component of the affected software. A remote attacker can use undisclosed measures through the Web Configuration Utility, iControl REST, or iControl SOAP, delete arbitrary files through an undisclosed mechanism and cause the application to crash.
Successful exploitation of the vulnerability may result in denial of service.
Remediation
Update to version 12.1.2 HF1 or 13.0.0.