#VU12849 Brute-force attack in F5 Networks products - CVE-2018-5506

Cybersecurity Help s.r.o.

Published: 2018-05-18

Vulnerability identifier: #VU12849

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-5506

CWE-ID: CWE-307

Exploitation vector: Network

Exploit availability: No

Vendor: F5 Networks

Description
The vulnerability allows a remote unauthenticated attacker to bypass security restrctions on the target system.

The weakness exists in the Apache modules apache_auth_token_mod and mod_auth_f5_auth_token.cpp due to handling of invalid IP addresses. A remote attacker can bruteforce on the em_server_ip authorization parameter to obtain which SSL client certificates used for mutual authentication between BIG-IQ or Enterprise Manager (EM) and managed BIG-IP devices.

Mitigation
Update to versions 11.5.6, 11.6.2, 12.1.3.2, 13.0.0 HF1, 13.0.1 or 13.1.0.

Vulnerable software versions

BIG-IP LTM: 11.2.1 - 13.0.0

BIG-IP AAM: 11.2.1 - 13.0.0

BIG-IP AFM: 11.2.1 - 13.0.0

BIG-IP Analytics: 11.2.1 - 13.0.0

BIG-IP APM: 11.2.1 - 13.0.0

BIG-IP ASM: 11.2.1 - 13.0.0

BIG-IP DNS: 11.2.1 - 13.0.0

BIG-IP Edge Gateway: 11.2.1 - 13.0.0

BIG-IP GTM: 11.2.1 - 13.0.0

BIG-IP Link Controller: 11.2.1 - 13.0.0

BIG-IP PEM: 11.2.1 - 13.0.0

BIG-IP WebAccelerator: 11.2.1 - 13.0.0

BIG-IP WebSafe: 11.2.1 - 13.0.0

External links
https://support.f5.com/csp/article/K65355492

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in F5 BIG-IP