Vulnerability CVE-2019-6640


Published: 2019-07-03

Description:
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, SNMP exposes sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is inserted into various profile types and accessed using SNMPv2.

Type:

CWE-200

(Information Exposure)

Vendor: F5
Product: Big-ip webaccelerator 
Version:
14.1.0.1
14.1.0
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip link controller 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip policy enforcement manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip edge gateway 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip application security manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip advanced firewall manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip global traffic manager 
Version:
14.1.0.1
14.1.0
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip local traffic manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip application acceleration manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
See more versions on NVD
Product: Big-ip fraud protection service 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip domain name system 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip access policy manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip analytics 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www.securityfocus.com/bid/109089
https://support.f5.com/csp/article/K40443301

Related CVE
CVE-2019-6646
On BIG-IP 11.5.2-11.6.4 and Enterprise Manager 3.1.1, REST users with guest privileges may be able to escalate their privileges and run commands with admin privileges.
CVE-2019-6643
On versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, 12.1.0-12.1.4.1, and 11.5.2-11.6.4, an attacker sending specifically crafted DHCPv6 requests through a BIG-IP virtual server configured with a DHCPv6 profile may be able to cause the TMM pr...
CVE-2019-6648
On version 1.9.0, If DEBUG logging is enable, F5 Container Ingress Service (CIS) for Kubernetes and Red Hat OpenShift (k8s-bigip-ctlr) log files may contain BIG-IP secrets such as SSL Private Keys and Private key Passphrases as provided as inputs by ...
CVE-2019-6647
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, 12.1.0-12.1.4.1, 11.5.2-11.6.4, when processing authentication attempts for control-plane users MCPD leaks a small amount of memory. Under rare conditions attackers with access to the managem...
CVE-2019-6645
On BIG-IP 14.0.0-14.1.0.5, 13.0.0-13.1.2, 12.1.0-12.1.4.1, 11.5.2-11.6.4, FTP traffic passing through a Virtual Server with both an active FTP profile associated and connection mirroring configured may lead to a TMM crash causing the configured HA ac...
CVE-2019-6644
Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized user...
CVE-2019-6641
On BIG-IP 12.1.0-12.1.4.1, undisclosed requests can cause iControl REST processes to crash. The attack can only come from an authenticated user; all roles are capable of performing the attack. Unauthenticated users cannot perform this attack.
CVE-2019-6639
On BIG-IP (AFM, PEM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, an undisclosed TMUI pages for AFM and PEM Subscriber management are vulnerable to a stored cross-site scripting (XSS) issue. Th...

Copyright 2019, cxsecurity.com

 

Back to Top