Details of VAR-201507-0341

ID

VAR-201507-0341

CVE

CVE-2015-4637

TITLE

plural F5 BIG-IQ Series products REST API Vulnerable to obtaining an authentication token for arbitrary users

Trust: 0.8

sources: JVNDB: JVNDB-2015-003879

DESCRIPTION

The REST API in F5 BIG-IQ Cloud, Device, and Security 4.4.0 and 4.5.0 before HF2 and ADC 4.5.0 before HF2, when configured for LDAP remote authentication and the LDAP server allows anonymous BIND operations, allows remote attackers to obtain an authentication token for arbitrary users by guessing an LDAP user account name. Supplementary information : CWE Vulnerability type by CWE-17: Code ( code ) Has been identified. Multiple F5 BIG-IP products are prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks. F5 BIG-IQ Cloud, etc. Cloud is a component that provides iApp lifecycle management and BIG-IP deployment in public and private clouds. Device is a component that provides device inventory, status, backup, update, upgrade and license management. Security is a centralized management component that provides F5 AFM and ASM security solutions. The following products and versions are affected: F5 BIG-IQ Cloud 4.4.0 to 4.5.0, Device 4.4.0 to 4.5.0, Security 4.4.0 to 4.5.0, ADC 4.5.0

Trust: 2.07

sources: NVD: CVE-2015-4637 // JVNDB: JVNDB-2015-003879 // BID: 75943 // VULHUB: VHN-82598 // VULMON: CVE-2015-4637

AFFECTED PRODUCTS

vendor:	f5	model:	big-iq cloud	scope:	eq	version:	4.4.0	Trust: 1.6
vendor:	f5	model:	big-iq adc	scope:	eq	version:	4.5.0	Trust: 1.6
vendor:	f5	model:	big-iq device	scope:	eq	version:	4.5.0	Trust: 1.6
vendor:	f5	model:	big-iq security	scope:	eq	version:	4.4.0	Trust: 1.6
vendor:	f5	model:	big-iq cloud	scope:	eq	version:	4.5.0	Trust: 1.6
vendor:	f5	model:	big-iq device	scope:	eq	version:	4.4.0	Trust: 1.6
vendor:	f5	model:	big-iq security	scope:	eq	version:	4.5.0	Trust: 1.6
vendor:	f5	model:	big-iq application delivery controller	scope:	lt	version:	4.5.0	Trust: 0.8
vendor:	f5	model:	big-iq application delivery controller	scope:	eq	version:	4.5.0 hf2	Trust: 0.8
vendor:	f5	model:	big-iq device	scope:	lt	version:	4.5.0	Trust: 0.8
vendor:	f5	model:	big-iq device	scope:	lt	version:	4.4.0	Trust: 0.8
vendor:	f5	model:	big-iq security	scope:	lt	version:	4.5.0	Trust: 0.8
vendor:	f5	model:	big-iq cloud	scope:	eq	version:	4.5.0 hf2	Trust: 0.8
vendor:	f5	model:	big-iq cloud	scope:	eq	version:	4.4.0 hf2	Trust: 0.8
vendor:	f5	model:	big-iq security	scope:	lt	version:	4.4.0	Trust: 0.8
vendor:	f5	model:	big-iq security	scope:	eq	version:	4.4.0 hf2	Trust: 0.8
vendor:	f5	model:	big-iq device	scope:	eq	version:	4.5.0 hf2	Trust: 0.8
vendor:	f5	model:	big-iq device	scope:	eq	version:	4.4.0 hf2	Trust: 0.8
vendor:	f5	model:	big-iq cloud	scope:	lt	version:	4.4.0	Trust: 0.8
vendor:	f5	model:	big-iq cloud	scope:	lt	version:	4.5.0	Trust: 0.8
vendor:	f5	model:	big-iq security	scope:	eq	version:	4.5.0 hf2	Trust: 0.8
vendor:	f5	model:	big-iq security	scope:	eq	version:	4.5	Trust: 0.3
vendor:	f5	model:	big-iq security	scope:	eq	version:	4.4	Trust: 0.3
vendor:	f5	model:	big-iq device	scope:	eq	version:	4.5	Trust: 0.3
vendor:	f5	model:	big-iq device	scope:	eq	version:	4.4	Trust: 0.3
vendor:	f5	model:	big-iq cloud	scope:	eq	version:	4.5	Trust: 0.3
vendor:	f5	model:	big-iq cloud	scope:	eq	version:	4.4	Trust: 0.3
vendor:	f5	model:	big-iq adc	scope:	eq	version:	4.5	Trust: 0.3
vendor:	f5	model:	big-iq security hf2	scope:	ne	version:	4.5	Trust: 0.3
vendor:	f5	model:	big-iq security hf2	scope:	ne	version:	4.4	Trust: 0.3
vendor:	f5	model:	big-iq device hf2	scope:	ne	version:	4.5	Trust: 0.3
vendor:	f5	model:	big-iq device hf2	scope:	ne	version:	4.4	Trust: 0.3
vendor:	f5	model:	big-iq cloud hf2	scope:	ne	version:	4.5	Trust: 0.3
vendor:	f5	model:	big-iq cloud hf2	scope:	ne	version:	4.4	Trust: 0.3
vendor:	f5	model:	big-iq adc hf2	scope:	ne	version:	4.5	Trust: 0.3

sources: BID: 75943 // JVNDB: JVNDB-2015-003879 // CNNVD: CNNVD-201507-624 // NVD: CVE-2015-4637

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-4637
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-4637
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201507-624
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-82598
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2015-4637
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-4637
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-82598
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-82598 // VULMON: CVE-2015-4637 // JVNDB: JVNDB-2015-003879 // CNNVD: CNNVD-201507-624 // NVD: CVE-2015-4637

PROBLEMTYPE DATA

problemtype:	CWE-310	Trust: 1.9
problemtype:	CWE-17	Trust: 1.1
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-82598 // JVNDB: JVNDB-2015-003879 // NVD: CVE-2015-4637

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201507-624

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201507-624

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-003879

PATCH

title:

SOL16861: BIG-IQ remote authentication vulnerability CVE-2015-4637

url:

https://support.f5.com/kb/en-us/solutions/public/16000/800/sol16861.html

Trust: 0.8

sources: JVNDB: JVNDB-2015-003879

EXTERNAL IDS

db:	NVD	id:	CVE-2015-4637	Trust: 2.9
db:	JVNDB	id:	JVNDB-2015-003879	Trust: 0.8
db:	CNNVD	id:	CNNVD-201507-624	Trust: 0.7
db:	BID	id:	75943	Trust: 0.5
db:	VULHUB	id:	VHN-82598	Trust: 0.1
db:	VULMON	id:	CVE-2015-4637	Trust: 0.1

sources: VULHUB: VHN-82598 // VULMON: CVE-2015-4637 // BID: 75943 // JVNDB: JVNDB-2015-003879 // CNNVD: CNNVD-201507-624 // NVD: CVE-2015-4637

REFERENCES

url:	https://support.f5.com/kb/en-us/solutions/public/16000/800/sol16861.html	Trust: 2.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4637	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4637	Trust: 0.8
url:	http://www.f5.com/products/big-ip/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/310.html	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/17.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.securityfocus.com/bid/75943	Trust: 0.1

sources: VULHUB: VHN-82598 // VULMON: CVE-2015-4637 // BID: 75943 // JVNDB: JVNDB-2015-003879 // CNNVD: CNNVD-201507-624 // NVD: CVE-2015-4637

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 75943

SOURCES

db:	VULHUB	id:	VHN-82598
db:	VULMON	id:	CVE-2015-4637
db:	BID	id:	75943
db:	JVNDB	id:	JVNDB-2015-003879
db:	CNNVD	id:	CNNVD-201507-624
db:	NVD	id:	CVE-2015-4637

LAST UPDATE DATE

2024-11-23T22:59:32.421000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-82598	date:	2015-07-21T00:00:00
db:	VULMON	id:	CVE-2015-4637	date:	2015-07-21T00:00:00
db:	BID	id:	75943	date:	2015-07-06T00:00:00
db:	JVNDB	id:	JVNDB-2015-003879	date:	2015-07-23T00:00:00
db:	CNNVD	id:	CNNVD-201507-624	date:	2015-07-23T00:00:00
db:	NVD	id:	CVE-2015-4637	date:	2024-11-21T02:31:27.063

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-82598	date:	2015-07-16T00:00:00
db:	VULMON	id:	CVE-2015-4637	date:	2015-07-16T00:00:00
db:	BID	id:	75943	date:	2015-07-06T00:00:00
db:	JVNDB	id:	JVNDB-2015-003879	date:	2015-07-23T00:00:00
db:	CNNVD	id:	CNNVD-201507-624	date:	2015-07-17T00:00:00
db:	NVD	id:	CVE-2015-4637	date:	2015-07-16T14:59:04.823