Man-in-the-Middle Vulnerability in F5 BIG-IP Products
CVE-2014-9326

Currently unrated

Key Information:

Vendor: F5
Status: Big-ip Application Acceleration Manager
Vendor: CVE Published:; 12 May 2015

What is CVE-2014-9326?

The automatic signature update functionality in the Phone Home feature of F5 BIG-IP Products allows for the possibility of man-in-the-middle attacks. This vulnerability exists due to insufficient validation of server SSL certificates, specifically in versions 11.5.0 to 11.6.0 for multiple components including LTM, AAM, AFM, Analytics, APM, GTM, and Link Controller. Furthermore, the Call Home feature in ASM and PEM products from versions 10.0.0 to 11.6.0 and 11.3.0 to 11.6.0 respectively, are also susceptible to this flaw if exploited through crafted certificates, enabling remote attackers to intercept sensitive information.

References

http://www.securitytracker.com/id/1032305

vdb-entryx_refsource_SECTRACK

https://support.f5.com/kb/en-us/solutions/public/16000/00...

x_refsource_CONFIRM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2015
Vulnerability Reserved
Dec 7, 2014