F5 Networks BIG-IP : iControl REST vulnerability (K29149494)

medium Nessus Plugin ID 126401

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary processes. The attack requires an authenticated user with role of 'Guest' or greater privilege. Note: 'No Access' cannot login so technically it's a role but a user with this access role cannot perform the attack. (CVE-2019-6637)

Impact

BIG-IP ASM

When the vulnerability is exploited, the affected BIG-IP ASM system may experience excessive memory consumption to the point where the Linux kernel triggers OOM killer, resulting in a possibledenial-of-service (DoS).

BIG-IP (LTM, AAM, AFM, Analytics, APM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) / BIG-IQ / Enterprise Manager / F5 iWorkflow / Traffix SDC

There is no impact; these F5 products are not affected by this vulnerability.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K29149494.

See Also

https://my.f5.com/manage/s/article/K29149494

Plugin Details

Severity: Medium

ID: 126401

File Name: f5_bigip_SOL29149494.nasl

Version: 1.6

Type: local

Published: 7/2/2019

Updated: 11/2/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS Score Source: CVE-2019-6637

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_application_security_manager, cpe:/h:f5:big-ip

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version

Exploit Ease: No known exploits are available

Patch Publication Date: 7/1/2019

Vulnerability Publication Date: 7/3/2019

Reference Information

CVE: CVE-2019-6637