Details of VAR-201705-3546

ID

VAR-201705-3546

CVE

CVE-2017-6131

TITLE

F5 BIG-IP Vulnerabilities related to the use of hard-coded credentials

Trust: 0.8

sources: JVNDB: JVNDB-2017-004439

DESCRIPTION

In some circumstances, an F5 BIG-IP version 12.0.0 to 12.1.2 and 13.0.0 Azure cloud instance may contain a default administrative password which could be used to remotely log into the BIG-IP system. The impacted administrative account is the Azure instance administrative user that was created at deployment. The root and admin accounts are not vulnerable. An attacker may be able to remotely access the BIG-IP host via SSH. F5 BIG-IP Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. F5BIG-IP is a load balancer that uses a variety of allocation algorithms to distribute network requests to available servers in a server cluster. By managing incoming web data traffic and increasing effective network bandwidth, network visitors get as much as possible. The hardware device for the best networking experience. A default password vulnerability exists in F5BIG-IP products. F5 BIG-IP Azure Products are prone to a security-bypass vulnerability. This may lead to further attacks. F5 BIG-IP LTM, etc. LTM is a local traffic manager; APM is a solution that provides secure unified access to business-critical applications and networks. The following products and versions are affected: F5 BIG-IP LTM version 12.0.0 through 12.1.2, version 13.0.0; BIG-IP AAM version 12.0.0 through 12.1.2, version 13.0.0; BIG-IP AFM Version 12.0.0 to Version 12.1.2, Version 13.0.0; BIG-IP APM Version 12.0.0 to Version 12.1.2, Version 13.0.0; BIG-IP ASM Version 12.0.0 to Version 12.1.2, Version 13.0. 0 version; BIG-IP DNS version 12.0.0 to 12.1.2, version 13.0.0; BIG-IP Link Controller version 12.0.0 to 12.1.2, version 13.0.0; BIG-IP PEM version 12.0.0 to version 12.1.2, version 13.0.0; BIG-IP WebSafe version 12.0.0 to version 12.1.2, version 13.0.0

Trust: 2.52

sources: NVD: CVE-2017-6131 // JVNDB: JVNDB-2017-004439 // CNVD: CNVD-2017-10163 // BID: 98659 // VULHUB: VHN-114334

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-10163

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip link controller	scope:	eq	version:	13.0.0	Trust: 3.0
vendor:	f5	model:	big-ip websafe	scope:	eq	version:	13.0.0	Trust: 2.4
vendor:	f5	model:	big-ip domain name system	scope:	eq	version:	13.0.0	Trust: 2.4
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.0.0	Trust: 1.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	13.0.0	Trust: 1.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	eq	version:	13.0.0	Trust: 1.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	13.0.0	Trust: 1.8
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	13.0.0	Trust: 1.8
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	13.0.0	Trust: 1.8
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	12.0.0	Trust: 1.6
vendor:	f5	model:	big-ip domain name system	scope:	eq	version:	12.1.1	Trust: 1.6
vendor:	f5	model:	big-ip websafe	scope:	eq	version:	12.1.1	Trust: 1.6
vendor:	f5	model:	big-ip domain name system	scope:	eq	version:	12.0.0	Trust: 1.6
vendor:	f5	model:	big-ip websafe	scope:	eq	version:	12.1.0	Trust: 1.6
vendor:	f5	model:	big-ip domain name system	scope:	eq	version:	12.1.0	Trust: 1.6
vendor:	f5	model:	big-ip websafe	scope:	eq	version:	12.1.2	Trust: 1.6
vendor:	f5	model:	big-ip domain name system	scope:	eq	version:	12.1.2	Trust: 1.6
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	12.1.1	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	12.1.2	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	12.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	eq	version:	12.1.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	eq	version:	12.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	12.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	eq	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	12.1.1	Trust: 1.0
vendor:	f5	model:	big-ip websafe	scope:	eq	version:	12.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	eq	version:	12.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.1	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	12.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.1	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	12.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	12.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	12.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	12.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.2	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	12.1.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.0.0 to 12.1.2	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.0.0 to 12.1.2	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	eq	version:	12.0.0 to 12.1.2	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	12.0.0 to 12.1.2	Trust: 0.8
vendor:	f5	model:	big-ip domain name system	scope:	eq	version:	12.0.0 to 12.1.2	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	12.0.0 to 12.1.2	Trust: 0.8
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	12.0.0 to 12.1.2	Trust: 0.8
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	12.0.0 to 12.1.2	Trust: 0.8
vendor:	f5	model:	big-ip websafe	scope:	eq	version:	12.0.0 to 12.1.2	Trust: 0.8
vendor:	f5	model:	traffix sdc	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	linerate	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	big-iq cloud and orchestration	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	big-iq centralized management	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	big-iq adc	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	big-iq security	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	big-iq device	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	big-iq cloud	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	enterprise manager	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	arx	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	big-ip webaccelerator	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	big-ip psm	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	big-ip websafe	scope:	gte	version:	12.0.0,<=12.1.2	Trust: 0.6
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	12.0.0,<=12.1.2	Trust: 0.6
vendor:	f5	model:	big-ip gtm	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	big-ip edge gateway	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.6
vendor:	f5	model:	big-ip aam	scope:	gte	version:	12.0.0,<=12.1.2	Trust: 0.6
vendor:	f5	model:	big-ip aam	scope:	eq	version:	13.0.0	Trust: 0.6
vendor:	f5	model:	big-ip ltm	scope:	gte	version:	12.0.0<=12.1.2	Trust: 0.6
vendor:	f5	model:	big-ip ltm	scope:	eq	version:	13.0.0	Trust: 0.6
vendor:	f5	model:	big-ip afm	scope:	gte	version:	12.0.0<=12.1.2	Trust: 0.6
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.0.0	Trust: 0.6
vendor:	f5	model:	big-ip apm	scope:	gte	version:	12.0.0,<=12.1.2	Trust: 0.6
vendor:	f5	model:	big-ip apm	scope:	eq	version:	13.0.0	Trust: 0.6
vendor:	f5	model:	big-ip asm	scope:	gte	version:	12.0.0,<=12.1.2	Trust: 0.6
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.0.0	Trust: 0.6
vendor:	f5	model:	big-ip dns	scope:	gte	version:	12.0.0,<=12.1.2	Trust: 0.6
vendor:	f5	model:	big-ip dns	scope:	eq	version:	13.0.0	Trust: 0.6
vendor:	f5	model:	big-ip websafe	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip ltm	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip ltm	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip ltm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip ltm	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip ltm	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip dns	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip dns	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip dns	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip dns	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip dns	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip aam	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip aam	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip aam	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip aam	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip aam	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip websafe hf2	scope:	ne	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip pem hf2	scope:	ne	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip ltm hf2	scope:	ne	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip ltm hf1	scope:	ne	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip link controller hf2	scope:	ne	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip dns hf1	scope:	ne	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	ne	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	ne	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip apm hf1	scope:	ne	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip afm hf2	scope:	ne	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip afm hf1	scope:	ne	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip aam hf2	scope:	ne	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip aam hf1	scope:	ne	version:	12.1.2	Trust: 0.3

sources: CNVD: CNVD-2017-10163 // BID: 98659 // JVNDB: JVNDB-2017-004439 // CNNVD: CNNVD-201702-789 // NVD: CVE-2017-6131

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6131
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2017-6131
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2017-10163
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201702-789
value:	HIGH
Trust: 0.6
VULHUB:	VHN-114334
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-6131
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-10163
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-114334
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6131
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-10163 // VULHUB: VHN-114334 // JVNDB: JVNDB-2017-004439 // CNNVD: CNNVD-201702-789 // NVD: CVE-2017-6131

PROBLEMTYPE DATA

problemtype:

CWE-798

Trust: 1.9

sources: VULHUB: VHN-114334 // JVNDB: JVNDB-2017-004439 // NVD: CVE-2017-6131

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-789

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201702-789

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-004439

PATCH

title:	K61757346: BIG-IP Azure cloud vulnerability CVE-2017-6131	url:	https://support.f5.com/csp/article/K61757346	Trust: 0.8
title:	F5BIG-IP default password vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/95884	Trust: 0.6

sources: CNVD: CNVD-2017-10163 // JVNDB: JVNDB-2017-004439

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6131	Trust: 3.4
db:	SECTRACK	id:	1038569	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-004439	Trust: 0.8
db:	CNNVD	id:	CNNVD-201702-789	Trust: 0.7
db:	CNVD	id:	CNVD-2017-10163	Trust: 0.6
db:	BID	id:	98659	Trust: 0.4
db:	VULHUB	id:	VHN-114334	Trust: 0.1

sources: CNVD: CNVD-2017-10163 // VULHUB: VHN-114334 // BID: 98659 // JVNDB: JVNDB-2017-004439 // CNNVD: CNNVD-201702-789 // NVD: CVE-2017-6131

REFERENCES

url:	https://support.f5.com/csp/article/k61757346	Trust: 2.0
url:	http://www.securitytracker.com/id/1038569	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6131	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6131	Trust: 0.8
url:	http://securitytracker.com/id/1038569	Trust: 0.6
url:	http://www.f5.com/products/big-ip/	Trust: 0.3

sources: CNVD: CNVD-2017-10163 // VULHUB: VHN-114334 // BID: 98659 // JVNDB: JVNDB-2017-004439 // CNNVD: CNNVD-201702-789 // NVD: CVE-2017-6131

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 98659

SOURCES

db:	CNVD	id:	CNVD-2017-10163
db:	VULHUB	id:	VHN-114334
db:	BID	id:	98659
db:	JVNDB	id:	JVNDB-2017-004439
db:	CNNVD	id:	CNNVD-201702-789
db:	NVD	id:	CVE-2017-6131

LAST UPDATE DATE

2024-11-23T22:17:56.902000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-10163	date:	2017-06-19T00:00:00
db:	VULHUB	id:	VHN-114334	date:	2017-07-08T00:00:00
db:	BID	id:	98659	date:	2017-05-11T00:00:00
db:	JVNDB	id:	JVNDB-2017-004439	date:	2017-06-26T00:00:00
db:	CNNVD	id:	CNNVD-201702-789	date:	2017-05-31T00:00:00
db:	NVD	id:	CVE-2017-6131	date:	2024-11-21T03:29:06.483

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-10163	date:	2017-06-19T00:00:00
db:	VULHUB	id:	VHN-114334	date:	2017-05-23T00:00:00
db:	BID	id:	98659	date:	2017-05-11T00:00:00
db:	JVNDB	id:	JVNDB-2017-004439	date:	2017-06-26T00:00:00
db:	CNNVD	id:	CNNVD-201702-789	date:	2017-02-23T00:00:00
db:	NVD	id:	CVE-2017-6131	date:	2017-05-23T15:29:00.190