Denial of service in F5 Networks products - CVE-2016-9250
Published: May 12, 2017
Vulnerability identifier: #VU6531
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-9250
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: F5 Networks
Affected software:
BIG-IP AAM
BIG-IP DNS
BIG-IP Link Controller
BIG-IP AFM
BIG-IP Analytics
BIG-IP APM
BIG-IP ASM
BIG-IP LTM
BIG-IP PEM
BIG-IP GTM
BIG-IP WebSafe
BIG-IP AAM
BIG-IP DNS
BIG-IP Link Controller
BIG-IP AFM
BIG-IP Analytics
BIG-IP APM
BIG-IP ASM
BIG-IP LTM
BIG-IP PEM
BIG-IP GTM
BIG-IP WebSafe
Detailed vulnerability description
The vulnerability allows a remote unauthenticated user to delete files on the target system.
The weakness exists due to insufficient security controls imposed by the management control plane component of the affected software. A remote attacker can use undisclosed measures through the Web Configuration Utility, iControl REST, or iControl SOAP, delete arbitrary files through an undisclosed mechanism and cause the application to crash.
Successful exploitation of the vulnerability may result in denial of service.
The weakness exists due to insufficient security controls imposed by the management control plane component of the affected software. A remote attacker can use undisclosed measures through the Web Configuration Utility, iControl REST, or iControl SOAP, delete arbitrary files through an undisclosed mechanism and cause the application to crash.
Successful exploitation of the vulnerability may result in denial of service.
How to mitigate CVE-2016-9250
Update to version 12.1.2 HF1 or 13.0.0.