Command injection in BIG-IP

#VU13559 Command injection in BIG-IP

Published: 2018-07-04

Vulnerability identifier: #VU13559

Vulnerability risk: Low

CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-5523

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
BIG-IP
Hardware solutions / Firmware

Vendor: F5 Networks

Description

The vulnerability allows a remote administrative attacker to execute arbitrary commands on the target system.

The weakness exists due to command injection. A remote attacker can inject and run arbitrary commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility.

Mitigation
The vulnerability is addressed in the versions 11.5.6, 11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.4.

Vulnerable software versions

BIG-IP: 11.2.1, 13.0.0, 13.1.0, 12.1.0 - 12.1.3, 11.6.1 - 11.6.3, 11.5.0 - 11.5.5

External links
http://support.f5.com/csp/article/K50254952

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in F5 BIG-IP