Vulnerability CVE-2019-6640


Published: 2019-07-03

Description:
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, SNMP exposes sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is inserted into various profile types and accessed using SNMPv2.

Type:

CWE-200

(Information Exposure)

Vendor: F5
Product: Big-ip webaccelerator 
Version:
14.1.0.1
14.1.0
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip link controller 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip policy enforcement manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip application security manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip edge gateway 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip advanced firewall manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip global traffic manager 
Version:
14.1.0.1
14.1.0
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip local traffic manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip application acceleration manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
See more versions on NVD
Product: Big-ip fraud protection service 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip domain name system 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip analytics 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
13.1.1.1
See more versions on NVD
Product: Big-ip access policy manager 
Version:
14.1.0.1
14.1.0
14.0.0.4
14.0.0.2
14.0.0
13.1.1.4
13.1.1.3
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www.securityfocus.com/bid/109089
https://support.f5.com/csp/article/K40443301

Related CVE
CVE-2019-6659
On version 14.0.0-14.1.0.1, BIG-IP virtual servers with TLSv1.3 enabled may experience a denial of service due to undisclosed incoming messages.
CVE-2019-6660
On BIG-IP 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.1, undisclosed HTTP requests may consume excessive amounts of systems resources which may lead to a denial of service.
CVE-2019-6661
When the BIG-IP APM 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.4.1, or 11.5.1-11.6.5 system processes certain requests, the APD/APMD daemon may consume excessive resources.
CVE-2019-6662
On BIG-IP 13.1.0-13.1.1.4, sensitive information is logged into the local log files and/or remote logging targets when restjavad processes an invalid request. Users with access to the log files would be able to view that data.
CVE-2019-6664
On BIG-IP 15.0.0 and 14.1.0-14.1.0.6, under certain conditions, network protections on the management port do not follow current best practices.
CVE-2019-6656
BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs the full apm session ID in the log files. Vulnerable versions of the client are bundled with BIG-IP APM versions 15.0.0-15.0.1, 14,1.0-14.1.0.6, 14.0.0-14.0.0.4, 13.0.0-13.1.1.5, 12...
CVE-2019-6655
On versions 13.0.0-13.1.0.1, 12.1.0-12.1.4.1, 11.6.1-11.6.4, and 11.5.1-11.5.9, BIG-IP platforms where AVR, ASM, APM, PEM, AFM, and/or AAM is provisioned may leak sensitive data.
CVE-2019-6654
On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface). This may allow attackers on a...

Copyright 2019, cxsecurity.com

 

Back to Top