Sign-up

ID

VAR-201710-1064


CVE

CVE-2017-6144


TITLE

F5 BIG-IP PEM Vulnerabilities in certificate validation

Trust: 0.8

sources: JVNDB: JVNDB-2017-009663

DESCRIPTION

In F5 BIG-IP PEM 12.1.0 through 12.1.2 when downloading the Type Allocation Code (TAC) database file via HTTPS, the server's certificate is not verified. Attackers in a privileged network position may be able to launch a man-in-the-middle attack against these connections. TAC databases are used in BIG-IP PEM for Device Type and OS (DTOS) and Tethering detection. Customers not using BIG-IP PEM, not configuring downloads of TAC database files, or not using HTTP for that download are not affected. F5 BIG-IP PEM Contains a certificate validation vulnerability.The information may be obtained and the information may be falsified. Multiple F5 BIG-IP Products are prone to a security-bypass vulnerability. Successfully exploiting this issue may allow attackers to perform unauthorized actions. This may lead to other attacks. F5 BIG-IP is an all-in-one network device integrated with network traffic management, application security management, load balancing and other functions from F5 Corporation of the United States. PEM is one of the Policy Enforcement Managers. Attackers can use this vulnerability to implement man-in-the-middle attacks to tamper with data or obtain information

Trust: 1.98

sources: NVD: CVE-2017-6144 // JVNDB: JVNDB-2017-009663 // BID: 101548 // VULHUB: VHN-114347

AFFECTED PRODUCTS

vendor:f5model:big-ip policy enforcement managerscope:eqversion:12.1.0

Trust: 1.6

vendor:f5model:big-ip policy enforcement managerscope:eqversion:12.1.2

Trust: 1.6

vendor:f5model:big-ip policy enforcement managerscope:eqversion:12.1.1

Trust: 1.6

vendor:f5model:big-ip policy enforcement managerscope:eqversion:12.1.0 to 12.1.2

Trust: 0.8

vendor:f5model:big-ip pemscope:eqversion:12.1.2

Trust: 0.3

vendor:f5model:big-ip pemscope:eqversion:12.1.0

Trust: 0.3

vendor:f5model:big-ip pem hfscope:neversion:12.1.21

Trust: 0.3

vendor:f5model:big-ip pemscope:neversion:12.0

Trust: 0.3

sources: BID: 101548 // JVNDB: JVNDB-2017-009663 // NVD: CVE-2017-6144 // CNNVD: CNNVD-201702-776

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2017-6144
value: HIGH

Trust: 1.8

CNNVD: CNNVD-201702-776
value: MEDIUM

Trust: 0.6

VULHUB: VHN-114347
value: MEDIUM

Trust: 0.1

NVD:
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2017-6144
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-114347
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

NVD:
baseSeverity: HIGH
baseScore: 7.4
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 5.2
version: 3.0

Trust: 1.0

NVD: CVE-2017-6144
baseSeverity: HIGH
baseScore: 7.4
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-114347 // JVNDB: JVNDB-2017-009663 // NVD: CVE-2017-6144 // CNNVD: CNNVD-201702-776

PROBLEMTYPE DATA

problemtype:CWE-295

Trust: 1.9

sources: VULHUB: VHN-114347 // JVNDB: JVNDB-2017-009663 // NVD: CVE-2017-6144

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-776

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201702-776

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2017-6144

PATCH
title:K81601350url:https://support.f5.com/csp/article/k81601350
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-009663

EXTERNAL IDS
db:NVDid:CVE-2017-6144
Trust: 2.8
db:JVNDBid:JVNDB-2017-009663
Trust: 0.8
db:CNNVDid:CNNVD-201702-776
Trust: 0.7
db:BIDid:101548
Trust: 0.4
db:VULHUBid:VHN-114347
Trust: 0.1
sources:
            
            
            VULHUB: VHN-114347 // 
            
            
            
            BID: 101548 // 
            
            
            
            JVNDB: JVNDB-2017-009663 // 
            
            
            
            NVD: CVE-2017-6144 // 
            
            
            
            CNNVD: CNNVD-201702-776

REFERENCES
url:https://support.f5.com/csp/article/k81601350
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6144
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-6144
Trust: 0.8
url:http://www.f5.com/products/big-ip/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-114347 // 
            
            
            
            BID: 101548 // 
            
            
            
            JVNDB: JVNDB-2017-009663 // 
            
            
            
            NVD: CVE-2017-6144 // 
            
            
            
            CNNVD: CNNVD-201702-776

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 101548

SOURCES
db:VULHUBid:VHN-114347
db:BIDid:101548
db:JVNDBid:JVNDB-2017-009663
db:NVDid:CVE-2017-6144
db:CNNVDid:CNNVD-201702-776

LAST UPDATE DATE
2023-12-18T13:29:08.623000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-114347date:2017-11-15T00:00:00
db:BIDid:101548date:2017-07-13T00:00:00
db:JVNDBid:JVNDB-2017-009663date:2017-11-17T00:00:00
db:NVDid:CVE-2017-6144date:2017-11-15T16:22:34.640
db:CNNVDid:CNNVD-201702-776date:2017-10-31T00:00:00

SOURCES RELEASE DATE
db:VULHUBid:VHN-114347date:2017-10-20T00:00:00
db:BIDid:101548date:2017-07-13T00:00:00
db:JVNDBid:JVNDB-2017-009663date:2017-11-17T00:00:00
db:NVDid:CVE-2017-6144date:2017-10-20T15:29:00.427
db:CNNVDid:CNNVD-201702-776date:2017-02-23T00:00:00