Sign-up

ID

VAR-201804-1266


CVE

CVE-2018-5511


TITLE

F5 BIG-IP Vulnerabilities in access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-004370

DESCRIPTION

On F5 BIG-IP 13.1.0-13.1.0.3 or 13.0.0, when authenticated administrative users execute commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced. F5 BIG-IP Contains an access control vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. F5BIG-IPLTM and other products are products of American F5 Company. F5BIG-IPLTM is a local traffic manager; BIG-IPAAM is an application acceleration manager. An attacker could exploit this vulnerability to increase privileges. F5 BIG-IP LTM, etc. The following products and versions are affected: F5 BIG-IP LTM Release 13.1.0, Release 13.0.0; F5 BIG-IP AAM Release 13.1.0, Release 13.0.0; F5 BIG-IP AFM Release 13.1.0, Release 13.0.0 Versions; F5 BIG-IP Analytics Version 13.1.0, Version 13.0.0; F5 BIG-IP APM Version 13.1.0, Version 13.0.0; F5 BIG-IP ASM Version 13.1.0, Version 13.0.0; F5 BIG-IP APM Version 13.1.0, Version 13.0.0; IP DNS Version 13.1.0, Version 13.0.0; F5 BIG-IP Edge Gateway Version 13.1.0, Version 13.0.0; F5 BIG-IP GTM Version 13.1.0, Version 13.0.0; F5 BIG-IP Link Controller 13.1 .0 version, version 13.0.0; F5 BIG-IP PEM version 13.1.0, version 13.0.0; F5 BIG-IP WebAccelerator version 13.1.0, version 13.0.0; F5 BIG-IP WebSafe version 13.1.0, version 13.0 .0 version; F5 BIG-IP Enterprise Manager version 3.1.1

Trust: 2.25

sources: NVD: CVE-2018-5511 // JVNDB: JVNDB-2018-004370 // CNVD: CNVD-2018-09406 // VULHUB: VHN-135542

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-09406

AFFECTED PRODUCTS

vendor:f5model:big-ip domain name systemscope:eqversion:13.0.0

Trust: 2.4

vendor:f5model:big-ip domain name systemscope:eqversion:13.1.0

Trust: 2.4

vendor:f5model:big-ip enterprise managerscope:eqversion:3.1.1

Trust: 2.4

vendor:f5model:big-ip link controllerscope:eqversion:13.1.0

Trust: 2.4

vendor:f5model:big-ip policy enforcement managerscope:eqversion:13.0.0

Trust: 2.4

vendor:f5model:big-ip policy enforcement managerscope:eqversion:13.1.0

Trust: 2.4

vendor:f5model:big-ip webacceleratorscope:eqversion:13.0.0

Trust: 2.4

vendor:f5model:big-ip webacceleratorscope:eqversion:13.1.0

Trust: 2.4

vendor:f5model:big-ip websafescope:eqversion:13.0.0

Trust: 2.4

vendor:f5model:big-ip websafescope:eqversion:13.1.0

Trust: 2.4

vendor:f5model:big-ip access policy managerscope:eqversion:13.0.0

Trust: 1.8

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.0

Trust: 1.8

vendor:f5model:big-ip advanced firewall managerscope:eqversion:13.0.0

Trust: 1.8

vendor:f5model:big-ip advanced firewall managerscope:eqversion:13.1.0

Trust: 1.8

vendor:f5model:big-ip analyticsscope:eqversion:13.0.0

Trust: 1.8

vendor:f5model:big-ip analyticsscope:eqversion:13.1.0

Trust: 1.8

vendor:f5model:big-ip application acceleration managerscope:eqversion:13.0.0

Trust: 1.8

vendor:f5model:big-ip application acceleration managerscope:eqversion:13.1.0

Trust: 1.8

vendor:f5model:big-ip application security managerscope:eqversion:13.0.0

Trust: 1.8

vendor:f5model:big-ip application security managerscope:eqversion:13.1.0

Trust: 1.8

vendor:f5model:big-ip edge gatewayscope:eqversion:13.0.0

Trust: 1.8

vendor:f5model:big-ip edge gatewayscope:eqversion:13.1.0

Trust: 1.8

vendor:f5model:big-ip global traffic managerscope:eqversion:13.0.0

Trust: 1.8

vendor:f5model:big-ip global traffic managerscope:eqversion:13.1.0

Trust: 1.8

vendor:f5model:big-ip link controllerscope:eqversion:13.0.0

Trust: 1.8

vendor:f5model:big-ip local traffic managerscope:eqversion:13.0.0

Trust: 1.8

vendor:f5model:big-ip local traffic managerscope:eqversion:13.1.0

Trust: 1.8

vendor:vmwaremodel:workstation playerscope:eqversion:15.0.2

Trust: 1.0

vendor:vmwaremodel:workstationscope:eqversion:14.1.5

Trust: 1.0

vendor:f5model:big-ipscope:gteversion:13.1.0,<=13.1.0.3

Trust: 0.6

sources: CNVD: CNVD-2018-09406 // JVNDB: JVNDB-2018-004370 // CNNVD: CNNVD-201804-702 // NVD: CVE-2018-5511

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-5511
value: HIGH

Trust: 1.0

NVD: CVE-2018-5511
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-09406
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201804-702
value: HIGH

Trust: 0.6

VULHUB: VHN-135542
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-5511
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-09406
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-135542
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-5511
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-09406 // VULHUB: VHN-135542 // JVNDB: JVNDB-2018-004370 // CNNVD: CNNVD-201804-702 // NVD: CVE-2018-5511

PROBLEMTYPE DATA

problemtype:CWE-470

Trust: 1.1

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-135542 // JVNDB: JVNDB-2018-004370 // NVD: CVE-2018-5511

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201804-702

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201804-702

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-004370

PATCH
title:K30500703url:https://support.f5.com/csp/article/K30500703
Trust: 0.8
title:Patches for multiple F5 product privilege escalation vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/128797
Trust: 0.6
title:Multiple F5 Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80111
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-09406 // 
            
            
            
            JVNDB: JVNDB-2018-004370 // 
            
            
            
            CNNVD: CNNVD-201804-702

EXTERNAL IDS
db:NVDid:CVE-2018-5511
Trust: 3.1
db:EXPLOIT-DBid:46600
Trust: 1.7
db:PACKETSTORMid:152213
Trust: 1.7
db:JVNDBid:JVNDB-2018-004370
Trust: 0.8
db:CNVDid:CNVD-2018-09406
Trust: 0.6
db:CNNVDid:CNNVD-201804-702
Trust: 0.6
db:VULHUBid:VHN-135542
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-09406 // 
            
            
            
            VULHUB: VHN-135542 // 
            
            
            
            JVNDB: JVNDB-2018-004370 // 
            
            
            
            CNNVD: CNNVD-201804-702 // 
            
            
            
            NVD: CVE-2018-5511

REFERENCES
url:https://support.f5.com/csp/article/k30500703
Trust: 2.3
url:http://packetstormsecurity.com/files/152213/vmware-host-vmx-process-impersonation-hijack-privilege-escalation.html
Trust: 2.3
url:https://www.exploit-db.com/exploits/46600/
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5511
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-5511
Trust: 0.8
url:https://www.exploit-db.com/exploits/46600
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-09406 // 
            
            
            
            VULHUB: VHN-135542 // 
            
            
            
            JVNDB: JVNDB-2018-004370 // 
            
            
            
            CNNVD: CNNVD-201804-702 // 
            
            
            
            NVD: CVE-2018-5511

CREDITS
Google Security Research,James Forshaw
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201804-702

SOURCES
db:CNVDid:CNVD-2018-09406
db:VULHUBid:VHN-135542
db:JVNDBid:JVNDB-2018-004370
db:CNNVDid:CNNVD-201804-702
db:NVDid:CVE-2018-5511

LAST UPDATE DATE
2024-11-23T22:12:33.276000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-09406date:2018-05-14T00:00:00
db:VULHUBid:VHN-135542date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2018-004370date:2018-06-19T00:00:00
db:CNNVDid:CNNVD-201804-702date:2019-10-08T00:00:00
db:NVDid:CVE-2018-5511date:2024-11-21T04:08:57.587

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-09406date:2018-05-14T00:00:00
db:VULHUBid:VHN-135542date:2018-04-13T00:00:00
db:JVNDBid:JVNDB-2018-004370date:2018-06-19T00:00:00
db:CNNVDid:CNNVD-201804-702date:2018-04-16T00:00:00
db:NVDid:CVE-2018-5511date:2018-04-13T13:29:00.847