F5 Networks BIG-IP : iControl vulnerability (K15220)

high Nessus Plugin ID 78166

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

The iControl API in F5 BIG-IP LTM, APM, ASM, GTM, Link Controller, and PSM 11.0.0 through 11.5.1, BIG-IP AAM 11.4.0 through 11.5.1, BIG-IP AFM and PEM 11.3.0 through 11.5.1, BIG-IP Analytics 11.0.0 through 11.5.1, BIG-IP Edge Gateway, WebAccelerator, WOM 11.0.0 through 11.3.0, Enterprise Manager 3.0.0 through 3.1.1, and BIG-IQ Cloud, Device, and Security 4.0.0 through 4.3.0 allows remote administrators to execute arbitrary commands via shell metacharacters in the hostname element in a SOAP request. (CVE-2014-2928)

Impact

Users may be able to run arbitrary commands on a BIG-IP system using an authenticated iControl connection.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K15220.

See Also

https://support.f5.com/csp/article/K15220

Plugin Details

Severity: High

ID: 78166

File Name: f5_bigip_SOL15220.nasl

Version: 1.10

Type: local

Published: 10/10/2014

Updated: 5/9/2019

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.4

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_acceleration_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_global_traffic_manager, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/a:f5:big-ip_wan_optimization_manager, cpe:/a:f5:big-ip_webaccelerator, cpe:/h:f5:big-ip, cpe:/h:f5:big-ip_protocol_security_manager

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/15/2015

Vulnerability Publication Date: 5/12/2014

Exploitable With

Metasploit (F5 iControl Remote Root Command Execution)

Reference Information

CVE: CVE-2014-2928

BID: 67278