Detections
Analytics

F5 Networks BIG-IP : BIG-IP SCP vulnerability (K82518062)

high Nessus Plugin ID 137919

Language:

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

The BIG-IP system does not properly enforce the access controls for the scp.blacklist files. This allows Admin and Resource Admin users with Secure Copy (SCP) protocol access to read and overwrite blacklisted files via SCP.(CVE-2020-5906)

Note : F5 is working to eliminate exclusionary language in our products and documentation. For more information, refer toK34150231:
Exclusionary language in F5 products and documentation.

Impact

Authenticated users with access to the SCP utility, which is an OpenSSH tool, but without full file system or Advanced Shell ( bash ) access, can read and overwrite certain configuration files that are otherwise restricted through SCP.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K82518062.

See Also

https://my.f5.com/manage/s/article/K82518062

Plugin Details

Severity: High

ID: 137919

File Name: f5_bigip_SOL82518062.nasl

Version: 1.8

Type: local

Published: 7/1/2020

Updated: 11/3/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2020-5906

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_acceleration_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_domain_name_system, cpe:/a:f5:big-ip_global_traffic_manager, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/h:f5:big-ip

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version

Exploit Ease: No known exploits are available

Patch Publication Date: 6/30/2020

Vulnerability Publication Date: 7/1/2020

Reference Information

CVE: CVE-2020-5906

IAVA: 2020-A-0283-S