Sign-up

ID

VAR-201405-0338


CVE

CVE-2014-3220


TITLE

F5 BIG-IQ Vulnerable to changing the password of an arbitrary user

Trust: 0.8

sources: JVNDB: JVNDB-2014-002390

DESCRIPTION

F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote authenticated users to change the password of arbitrary users via the name parameter in a request to the user's page in mgmt/shared/authz/users/. F5 Networks BIG-IQ is prone to a remote privilege-escalation vulnerability. Multiple F5 BIG-IQ products are prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization. Attackers can leverage this issue to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks. The following products are vulnerable: F5 BIG-IQ Cloud 4.0.0 through 4.1.0 are vulnerable. F5 BIG-IQ Security 4.0.0 through 4.1.0 are vulnerable. F5 BIG-IQ is a set of software-based cloud management solutions from F5 Corporation of the United States. The solution supports the deployment of application delivery and network services across public and private clouds, traditional data centers and hybrid environments. The vulnerability is caused by the mgmt/shared/authz/users/ script not properly filtering the input submitted by the user

Trust: 2.25

sources: NVD: CVE-2014-3220 // JVNDB: JVNDB-2014-002390 // BID: 67191 // BID: 67227 // VULHUB: VHN-71159

AFFECTED PRODUCTS

vendor:f5model:big-iqscope:eqversion:4.1.0.2013.0

Trust: 2.4

vendor:f5model:big-iq securityscope:eqversion:4.1

Trust: 0.3

vendor:f5model:big-iq securityscope:eqversion:4.0

Trust: 0.3

vendor:f5model:big-iq cloudscope:eqversion:4.1

Trust: 0.3

vendor:f5model:big-iq cloudscope:eqversion:4.0

Trust: 0.3

vendor:f5model:big-iq securityscope:neversion:4.3

Trust: 0.3

vendor:f5model:big-iq securityscope:neversion:4.2

Trust: 0.3

vendor:f5model:big-iq cloudscope:neversion:4.3

Trust: 0.3

vendor:f5model:big-iq cloudscope:neversion:4.2

Trust: 0.3

sources: BID: 67227 // JVNDB: JVNDB-2014-002390 // CNNVD: CNNVD-201405-055 // NVD: CVE-2014-3220

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-3220
value: HIGH

Trust: 1.0

NVD: CVE-2014-3220
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201405-055
value: CRITICAL

Trust: 0.6

VULHUB: VHN-71159
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-3220
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-71159
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-71159 // JVNDB: JVNDB-2014-002390 // CNNVD: CNNVD-201405-055 // NVD: CVE-2014-3220

PROBLEMTYPE DATA

problemtype:CWE-255

Trust: 1.9

sources: VULHUB: VHN-71159 // JVNDB: JVNDB-2014-002390 // NVD: CVE-2014-3220

THREAT TYPE

network

Trust: 0.6

sources: BID: 67191 // BID: 67227

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201405-055

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002390

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-71159

PATCH
title:BIG-IQurl:http://f5networks.co.jp/product/bigiq/index.html
Trust: 0.8
title:BIG-IQ-4.2.0.3208.0url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49757
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2014-002390 // 
            
            
            
            CNNVD: CNNVD-201405-055

EXTERNAL IDS
db:NVDid:CVE-2014-3220
Trust: 3.1
db:BIDid:67227
Trust: 1.4
db:BIDid:67191
Trust: 1.4
db:EXPLOIT-DBid:33143
Trust: 1.1
db:SECUNIAid:58440
Trust: 1.1
db:JVNDBid:JVNDB-2014-002390
Trust: 0.8
db:CNNVDid:CNNVD-201405-055
Trust: 0.7
db:FULLDISCid:20140502 RE: F5 BIG-IQ AUTHED ARBITRARY USER PASSWORD CHANGE
Trust: 0.6
db:FULLDISCid:20140501 F5 BIG-IQ AUTHED ARBITRARY USER PASSWORD CHANGE
Trust: 0.6
db:SEEBUGid:SSVID-86389
Trust: 0.1
db:VULHUBid:VHN-71159
Trust: 0.1
sources:
            
            
            VULHUB: VHN-71159 // 
            
            
            
            BID: 67191 // 
            
            
            
            BID: 67227 // 
            
            
            
            JVNDB: JVNDB-2014-002390 // 
            
            
            
            CNNVD: CNNVD-201405-055 // 
            
            
            
            NVD: CVE-2014-3220

REFERENCES
url:http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15229.html
Trust: 1.7
url:http://seclists.org/fulldisclosure/2014/may/10
Trust: 1.7
url:http://seclists.org/fulldisclosure/2014/may/11
Trust: 1.7
url:http://volatile-minds.blogspot.com/2014/05/f5-big-iq-v41020130-authenticated.html
Trust: 1.7
url:https://gist.github.com/brandonprry/2e73acd63094fa2a4f63
Trust: 1.7
url:http://www.securityfocus.com/bid/67191
Trust: 1.1
url:http://www.securityfocus.com/bid/67227
Trust: 1.1
url:http://www.exploit-db.com/exploits/33143
Trust: 1.1
url:http://seclists.org/fulldisclosure/2014/may/16
Trust: 1.1
url:http://secunia.com/advisories/58440
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3220
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3220
Trust: 0.8
url:http://volatile-minds.blogspot.jp/2014/05/f5-big-iq-v41020130-authenticated.html
Trust: 0.8
url:http://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
Trust: 0.3
url:http://volatile-minds.blogspot.in/2014/05/f5-big-iq-v41020130-authenticated.html
Trust: 0.3
url:https://f5.com/products/big-iq
Trust: 0.3
url:https://f5.com/products/big-iq/big-iq-cloud
Trust: 0.3
url:https://f5.com/products/big-iq/big-iq-security
Trust: 0.3
sources:
            
            
            VULHUB: VHN-71159 // 
            
            
            
            BID: 67191 // 
            
            
            
            BID: 67227 // 
            
            
            
            JVNDB: JVNDB-2014-002390 // 
            
            
            
            CNNVD: CNNVD-201405-055 // 
            
            
            
            NVD: CVE-2014-3220

CREDITS
Brandon Perry
Trust: 0.3
sources:
            
            
            BID: 67191

SOURCES
db:VULHUBid:VHN-71159
db:BIDid:67191
db:BIDid:67227
db:JVNDBid:JVNDB-2014-002390
db:CNNVDid:CNNVD-201405-055
db:NVDid:CVE-2014-3220

LAST UPDATE DATE
2024-11-23T22:23:05.711000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-71159date:2014-05-23T00:00:00
db:BIDid:67191date:2015-03-19T09:34:00
db:BIDid:67227date:2015-04-13T21:01:00
db:JVNDBid:JVNDB-2014-002390date:2014-05-08T00:00:00
db:CNNVDid:CNNVD-201405-055date:2014-05-08T00:00:00
db:NVDid:CVE-2014-3220date:2024-11-21T02:07:42.440

SOURCES RELEASE DATE
db:VULHUBid:VHN-71159date:2014-05-05T00:00:00
db:BIDid:67191date:2014-05-01T00:00:00
db:BIDid:67227date:2014-05-06T00:00:00
db:JVNDBid:JVNDB-2014-002390date:2014-05-08T00:00:00
db:CNNVDid:CNNVD-201405-055date:2014-05-08T00:00:00
db:NVDid:CVE-2014-3220date:2014-05-05T17:06:05.840