Brute Force Vulnerability in F5 BIG-IP Products
CVE-2018-5506

9.8CRITICAL

Summary

In certain versions of F5 BIG-IP, vulnerabilities in the Apache modules, specifically apache_auth_token_mod and mod_auth_f5_auth_token.cpp, allow external attackers to exploit possible unauthenticated brute force attempts. This could potentially expose SSL client certificates utilized for mutual authentication between the BIG-IQ management system or Enterprise Manager and their managed BIG-IP devices, leading to unauthorized access and security risks.

Affected Version(s)

BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) 13.0.0

BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) 12.1.0-12.1.2

BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) 11.6.1

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.