Details of VAR-201807-2198

ID

VAR-201807-2198

CVE

CVE-2018-5529

TITLE

F5 BIG-IP APM client Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-007937

DESCRIPTION

The svpn component of the F5 BIG-IP APM client prior to version 7.1.7 for Linux and Mac OS X runs as a privileged process and can allow an unprivileged user to assume super-user privileges on the local client host. A malicious local unprivileged user may gain knowledge of sensitive information, manipulate certain data, or disrupt service. F5 BIG-IP APM client Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. F5 BIG-IP APM Client is prone to a local privilege escalation vulnerability. Local attackers may exploit this issue to gain elevated privileges. The software primarily provides unified access to business-critical applications and networks. svpn is one of the VPN components. policyserver is one of the policy servers. There are security vulnerabilities in the svpn and policyserver components of F5 BIG-IP APM client versions earlier than 7.1.7.1 based on Linux and macOS platforms

Trust: 2.16

sources: NVD: CVE-2018-5529 // JVNDB: JVNDB-2018-007937 // BID: 104730 // VULHUB: VHN-135577 // VULHUB: VHN-135560 // VULMON: CVE-2018-5529

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	7.1.6.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip edge	scope:	gte	version:	7101	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.5.6	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	7.1.5	Trust: 1.0
vendor:	f5	model:	big-ip edge	scope:	lte	version:	7150	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.5.1 to 11.5.6	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.0 to 12.1.3	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.0.0 to 13.1.0	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	clients 7.1.5 to 7.1.6.1	Trust: 0.8
vendor:	f5	model:	big-ip edge client	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.0	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.5.2	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.1	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.5.4	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.5.3	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.5.1	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.5.5	Trust: 0.6
vendor:	f5	model:	big-ip edge client	scope:	eq	version:	7150	Trust: 0.3
vendor:	f5	model:	big-ip edge client	scope:	eq	version:	7101	Trust: 0.3
vendor:	f5	model:	big-ip apm clients	scope:	eq	version:	7.1.5	Trust: 0.3
vendor:	f5	model:	big-ip apm clients	scope:	eq	version:	7.1.6.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	13.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	12.1.3	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.6	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.5	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.2	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip apm clients	scope:	ne	version:	7.1.7	Trust: 0.3

sources: BID: 104730 // JVNDB: JVNDB-2018-007937 // CNNVD: CNNVD-201807-1120 // NVD: CVE-2018-5529

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-5529
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-5529
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201807-1120
value:	HIGH
Trust: 0.6
VULHUB:	VHN-135577
value:	HIGH
Trust: 0.1
VULHUB:	VHN-135560
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2018-5529
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-5529
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-135577
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1
VULHUB:	VHN-135560
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-5529
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-135577 // VULHUB: VHN-135560 // VULMON: CVE-2018-5529 // JVNDB: JVNDB-2018-007937 // CNNVD: CNNVD-201807-1120 // NVD: CVE-2018-5529

PROBLEMTYPE DATA

problemtype:	CWE-264	Trust: 1.0
problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-732	Trust: 0.1

sources: VULHUB: VHN-135577 // VULHUB: VHN-135560 // JVNDB: JVNDB-2018-007937 // NVD: CVE-2018-5529

THREAT TYPE

local

Trust: 0.9

sources: BID: 104730 // CNNVD: CNNVD-201807-1120

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201807-1120

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-007937

PATCH

title:	K52171282	url:	https://support.f5.com/csp/article/K52171282	Trust: 0.8
title:	F5 BIG-IP APM client svpn Fixes for component security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=82125	Trust: 0.6
title:	security-research	url:	https://github.com/mirchr/security-research	Trust: 0.1

sources: VULMON: CVE-2018-5529 // JVNDB: JVNDB-2018-007937 // CNNVD: CNNVD-201807-1120

EXTERNAL IDS

db:	NVD	id:	CVE-2018-5529	Trust: 3.0
db:	BID	id:	104730	Trust: 2.1
db:	JVNDB	id:	JVNDB-2018-007937	Trust: 0.8
db:	CNNVD	id:	CNNVD-201807-1120	Trust: 0.7
db:	CNNVD	id:	CNNVD-201808-560	Trust: 0.1
db:	SECTRACK	id:	1041510	Trust: 0.1
db:	VULHUB	id:	VHN-135577	Trust: 0.1
db:	VULHUB	id:	VHN-135560	Trust: 0.1
db:	VULMON	id:	CVE-2018-5529	Trust: 0.1

sources: VULHUB: VHN-135577 // VULHUB: VHN-135560 // VULMON: CVE-2018-5529 // BID: 104730 // JVNDB: JVNDB-2018-007937 // CNNVD: CNNVD-201807-1120 // NVD: CVE-2018-5529

REFERENCES

url:	http://www.securityfocus.com/bid/104730	Trust: 2.4
url:	https://support.f5.com/csp/article/k52171282	Trust: 2.1
url:	https://github.com/mirchr/security-research/blob/master/vulnerabilities/f5/cve-2018-5529.txt	Trust: 1.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5529	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-5529	Trust: 0.8
url:	http://www.f5.com/	Trust: 0.3
url:	https://support.f5.com/csp/article/k54431371	Trust: 0.1
url:	http://www.securitytracker.com/id/1041510	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/mirchr/security-research	Trust: 0.1

sources: VULHUB: VHN-135577 // VULHUB: VHN-135560 // VULMON: CVE-2018-5529 // BID: 104730 // JVNDB: JVNDB-2018-007937 // CNNVD: CNNVD-201807-1120 // NVD: CVE-2018-5529

CREDITS

Rich Mirch

Trust: 0.3

sources: BID: 104730

SOURCES

db:	VULHUB	id:	VHN-135577
db:	VULHUB	id:	VHN-135560
db:	VULMON	id:	CVE-2018-5529
db:	BID	id:	104730
db:	JVNDB	id:	JVNDB-2018-007937
db:	CNNVD	id:	CNNVD-201807-1120
db:	NVD	id:	CVE-2018-5529

LAST UPDATE DATE

2024-11-23T22:41:46.274000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-135577	date:	2019-10-03T00:00:00
db:	VULHUB	id:	VHN-135560	date:	2019-10-03T00:00:00
db:	VULMON	id:	CVE-2018-5529	date:	2019-10-03T00:00:00
db:	BID	id:	104730	date:	2018-07-12T00:00:00
db:	JVNDB	id:	JVNDB-2018-007937	date:	2018-10-02T00:00:00
db:	CNNVD	id:	CNNVD-201807-1120	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2018-5529	date:	2024-11-21T04:09:00.290

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-135577	date:	2018-08-17T00:00:00
db:	VULHUB	id:	VHN-135560	date:	2018-07-12T00:00:00
db:	VULMON	id:	CVE-2018-5529	date:	2018-07-12T00:00:00
db:	BID	id:	104730	date:	2018-07-12T00:00:00
db:	JVNDB	id:	JVNDB-2018-007937	date:	2018-10-02T00:00:00
db:	CNNVD	id:	CNNVD-201807-1120	date:	2018-07-13T00:00:00
db:	NVD	id:	CVE-2018-5529	date:	2018-07-12T18:29:00.577