Details of VAR-201804-0507

ID

VAR-201804-0507

CVE

CVE-2017-6143

TITLE

F5 BIG-IP Vulnerabilities related to certificate validation

Trust: 0.8

sources: JVNDB: JVNDB-2017-013263

DESCRIPTION

X509 certificate verification was not correctly implemented in the IP Intelligence Subscription and IP Intelligence feed-list features, and thus the remote server's identity is not properly validated in F5 BIG-IP 12.0.0-12.1.2, 11.6.0-11.6.2, or 11.5.0-11.5.5. F5 BIG-IP Contains a certificate validation vulnerability.Information may be obtained and information may be altered. Both F5 BIG-IP AFM and ASM are products of F5 Company in the United States. F5 BIG-IP AFM is an advanced firewall product for mitigating DDos attacks. ASM is a web application firewall (WAF) that provides secure remote access, protects email, and simplifies web access control while enhancing network and application performance. There is a security vulnerability in F5 BIG-IP AFM and ASM, which is caused by the program not correctly verifying the identity of the remote server. An attacker could exploit this vulnerability to take control of intelligence data. The following products and versions are affected: F5 BIG-IP AFM version 12.1.0 to 12.1.2, 11.6.1 to 11.6.2, 11.5.1 to 11.5.5; BIG-IP ASM version 12.1.0 to version 12.1.2, version 11.6.1 to version 11.6.2, version 11.5.1 to version 11.5.5

Trust: 1.71

sources: NVD: CVE-2017-6143 // JVNDB: JVNDB-2017-013263 // VULHUB: VHN-114346

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	11.6.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.6.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	12.1.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	11.5.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.5.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gt	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	12.1.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	11.6.1	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.5.4	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	12.1.1	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.5.3	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.5.1	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.0	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.5.5	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.6.1	Trust: 0.6
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.5.2	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.1	Trust: 0.6

sources: JVNDB: JVNDB-2017-013263 // NVD: CVE-2017-6143 // CNNVD: CNNVD-201702-777

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2017-6143
value:	MEDIUM
Trust: 1.8
CNNVD:	CNNVD-201702-777
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-114346
value:	MEDIUM
Trust: 0.1

NVD:
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2017-6143
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-114346
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

NVD:
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	2.7
version:	3.0
Trust: 1.0
NVD:	CVE-2017-6143
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-114346 // JVNDB: JVNDB-2017-013263 // NVD: CVE-2017-6143 // CNNVD: CNNVD-201702-777

PROBLEMTYPE DATA

problemtype:

CWE-295

Trust: 1.9

sources: VULHUB: VHN-114346 // JVNDB: JVNDB-2017-013263 // NVD: CVE-2017-6143

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-777

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201702-777

CONFIGURATIONS

sources: NVD: CVE-2017-6143

PATCH

title:

K11464209

url:

https://support.f5.com/csp/article/k11464209

Trust: 0.8

sources: JVNDB: JVNDB-2017-013263

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6143	Trust: 2.5
db:	JVNDB	id:	JVNDB-2017-013263	Trust: 0.8
db:	CNNVD	id:	CNNVD-201702-777	Trust: 0.7
db:	VULHUB	id:	VHN-114346	Trust: 0.1

sources: VULHUB: VHN-114346 // JVNDB: JVNDB-2017-013263 // NVD: CVE-2017-6143 // CNNVD: CNNVD-201702-777

REFERENCES

url:	https://support.f5.com/csp/article/k11464209	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6143	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6143	Trust: 0.8

sources: VULHUB: VHN-114346 // JVNDB: JVNDB-2017-013263 // NVD: CVE-2017-6143 // CNNVD: CNNVD-201702-777

SOURCES

db:	VULHUB	id:	VHN-114346
db:	JVNDB	id:	JVNDB-2017-013263
db:	NVD	id:	CVE-2017-6143
db:	CNNVD	id:	CNNVD-201702-777

LAST UPDATE DATE

2023-12-18T12:44:08.133000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-114346	date:	2018-05-21T00:00:00
db:	JVNDB	id:	JVNDB-2017-013263	date:	2018-06-13T00:00:00
db:	NVD	id:	CVE-2017-6143	date:	2018-05-21T15:16:34.203
db:	CNNVD	id:	CNNVD-201702-777	date:	2018-04-17T00:00:00

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-114346	date:	2018-04-13T00:00:00
db:	JVNDB	id:	JVNDB-2017-013263	date:	2018-06-13T00:00:00
db:	NVD	id:	CVE-2017-6143	date:	2018-04-13T13:29:00.207
db:	CNNVD	id:	CNNVD-201702-777	date:	2017-02-23T00:00:00