F5 Networks BIG-IP : BIG-IP Configuration utility vulnerability (K44603900)

medium Nessus Plugin ID 122766

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

Malformed requests to the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility,may lead to disruption of TMUI services. This attack requires an authenticated user with any role (other than the No Access role). The No Access user role cannot login and does not have the access level to perform the attack. (CVE-2019-6598)

Impact

This vulnerability allows an authenticated user to cause a disruption of service.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K44603900.

See Also

https://my.f5.com/manage/s/article/K44603900

Plugin Details

Severity: Medium

ID: 122766

File Name: f5_bigip_SOL44603900.nasl

Version: 1.6

Type: local

Published: 3/12/2019

Updated: 11/2/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS Score Source: CVE-2019-6598

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_acceleration_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_domain_name_system, cpe:/a:f5:big-ip_global_traffic_manager, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/a:f5:big-ip_webaccelerator, cpe:/h:f5:big-ip

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version

Exploit Ease: No known exploits are available

Patch Publication Date: 3/11/2019

Vulnerability Publication Date: 3/13/2019

Reference Information

CVE: CVE-2019-6598