Vulnerability CVE-2019-6609


Published: 2019-04-15

Description:
Platform dependent weakness. This issue only impacts iSeries platforms. On these platforms, in BIG-IP APM versions 14.0.0-14.1.0.1, 13.0.0-13.1.1.3, and 12.1.1 HF2-12.1.4, the secureKeyCapable attribute was not set which causes secure vault to not use the F5 hardware support to store the unit key. Instead the unit key is stored in plaintext on disk as would be the case for Z100 systems. Additionally this causes the unit key to be stored in UCS files taken on these platforms.

Type:

CWE-255

(Credentials Management)

Vendor: F5
Product: Big-ip webaccelerator12.1.1 
Version: hf2;
Product: Big-ip local traffic manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0
13.1.1.3
13.1.1
13.1.0
See more versions on NVD
Product: Big-ip access policy manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0
13.1.1.3
13.1.1
13.1.0.8
13.1.0.7
13.1.0.6
13.1.0.5
13.1.0.4
13.1.0.3
13.1.0.2
13.1.0.1
13.1.0
13.0.1
See more versions on NVD
Product: Big-ip application security manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0
13.1.1.3
13.1.1
13.1.0
See more versions on NVD
Product: Big-ip link controller 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0
13.1.1.3
13.1.1
13.1.0
13.0.1
See more versions on NVD
Product: Big-ip application acceleration manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0
13.1.1.3
13.1.1
13.1.0
See more versions on NVD
Product: Big-ip edge gateway 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0
13.1.1.3
13.1.1
13.1.0
See more versions on NVD
Product: Big-ip fraud protection service 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0
13.1.1.3
13.1.1
13.1.0
See more versions on NVD
Product: Big-ip analytics 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0
13.1.1.3
13.1.1
13.1.0
See more versions on NVD
Product: Big-ip policy enforcement manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0
13.1.1.3
13.1.1
13.1.0
See more versions on NVD
Product: Big-ip domain name system 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0
13.1.1.3
13.1.1
13.1.0
See more versions on NVD
Product: Big-ip advanced firewall manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0
13.1.1.3
13.1.1.1
13.1.1
13.1.0
13.0.1
See more versions on NVD
Product: Big-ip global traffic manager 
Version:
14.1.0
14.0.0
13.1.1
13.1.0
13.0.1
See more versions on NVD
Product: Big-ip webaccelerator 
Version:
14.1.0
14.0.0
13.1.1.3
13.1.1
13.1.0
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
https://support.f5.com/csp/article/K18535734

Related CVE
CVE-2019-6610
On BIG-IP versions 14.0.0-14.0.0.4, 13.0.0-13.1.1.1, 12.1.0-12.1.4, 11.6.0-11.6.3.4, and 11.5.1-11.5.8, the system is vulnerable to a denial of service attack when performing URL classification.
CVE-2019-6608
On BIG-IP 11.5.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.1, and 14.0.0-14.0.0.2, under certain conditions, the snmpd daemon may leak memory on a multi-blade BIG-IP vCMP guest when processing authorized SNMP requests.
CVE-2019-6607
On BIG-IP ASM 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.3, and 14.0.0-14.0.0.2, there is a stored cross-site scripting vulnerability in an ASM violation viewed in the Configuration utility. In the worst case, an attacker can store a ...
CVE-2019-6606
On BIG-IP 11.5.1-11.6.3.4, 12.1.0-12.1.3.7, 13.0.0-13.1.1.3, and 14.0.0-14.0.0.2, when processing certain SNMP requests with a request-id of 0, the snmpd process may leak a small amount of memory.
CVE-2019-6605
On BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, and 12.0.x, an undisclosed sequence of packets received by an SSL virtual server and processed by an associated Client SSL or Server SSL profile may cause a denial of service.
CVE-2019-6604
On BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3.6, 13.0.0-13.1.1.1, and 14.0.0-14.0.0.2, under certain conditions, hardware systems with a High-Speed Bridge and using non-default Layer 2 forwarding configurations may experience a lockup of the ...
CVE-2019-6603
In BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, and 13.0.0-13.0.1, malformed TCP packets sent to a self IP address or a FastL4 virtual server may cause an interruption of service. The control plane is not exposed to this issue. This issue impa...
CVE-2019-6602
In BIG-IP 11.5.1-11.5.8 and 11.6.1-11.6.3, the Configuration Utility login page may not follow best security practices when handling a malicious request.

Copyright 2019, cxsecurity.com

 

Back to Top