Details of VAR-201909-0075

ID

VAR-201909-0075

CVE

CVE-2019-6654

TITLE

plural BIG-IP Vulnerability related to input validation in product system

Trust: 0.8

sources: JVNDB: JVNDB-2019-009700

DESCRIPTION

On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface). This may allow attackers on an adjacent system to force BIG-IP into processing packets with spoofed source addresses. plural BIG-IP There is an input validation vulnerability in the product system.Information may be tampered with. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A security vulnerability exists in the F5 BIG-IP. A remote attacker could exploit this vulnerability to perform unauthorized modification or cause a denial of service. The following products and versions are affected: F5 BIG-IP 14.0.0 to 14.1.2, 13.0.0 to 13.1.3, 12.1.0 to 12.1.5, 11.5.1 to 11.6.5

Trust: 1.71

sources: NVD: CVE-2019-6654 // JVNDB: JVNDB-2019-009700 // VULHUB: VHN-158089

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip edge gateway	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip global traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip local traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.1.2	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.0.8	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.0.7	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.0.2	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.1.3	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.0.5	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.1.1	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.0.6	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.1	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.0.4	Trust: 0.6

sources: JVNDB: JVNDB-2019-009700 // CNNVD: CNNVD-201909-1109 // NVD: CVE-2019-6654

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6654
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6654
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201909-1109
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-158089
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-6654
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:N/I:P/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-158089
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:N/I:P/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6654
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6654
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-158089 // JVNDB: JVNDB-2019-009700 // CNNVD: CNNVD-201909-1109 // NVD: CVE-2019-6654

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-158089 // JVNDB: JVNDB-2019-009700 // NVD: CVE-2019-6654

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201909-1109

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201909-1109

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-009700

PATCH

title:	K45644893	url:	https://support.f5.com/csp/article/K45644893	Trust: 0.8
title:	F5 BIG-IP Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98526	Trust: 0.6

sources: JVNDB: JVNDB-2019-009700 // CNNVD: CNNVD-201909-1109

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6654	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-009700	Trust: 0.8
db:	CNNVD	id:	CNNVD-201909-1109	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3600	Trust: 0.6
db:	VULHUB	id:	VHN-158089	Trust: 0.1

sources: VULHUB: VHN-158089 // JVNDB: JVNDB-2019-009700 // CNNVD: CNNVD-201909-1109 // NVD: CVE-2019-6654

REFERENCES

url:	https://support.f5.com/csp/article/k45644893	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6654	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6654	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.3600/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-privilege-escalation-via-martian-address-filtering-bypass-30393	Trust: 0.6

sources: VULHUB: VHN-158089 // JVNDB: JVNDB-2019-009700 // CNNVD: CNNVD-201909-1109 // NVD: CVE-2019-6654

SOURCES

db:	VULHUB	id:	VHN-158089
db:	JVNDB	id:	JVNDB-2019-009700
db:	CNNVD	id:	CNNVD-201909-1109
db:	NVD	id:	CVE-2019-6654

LAST UPDATE DATE

2024-11-23T23:11:44.473000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158089	date:	2019-09-26T00:00:00
db:	JVNDB	id:	JVNDB-2019-009700	date:	2019-09-27T00:00:00
db:	CNNVD	id:	CNNVD-201909-1109	date:	2019-09-30T00:00:00
db:	NVD	id:	CVE-2019-6654	date:	2024-11-21T04:46:53.507

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158089	date:	2019-09-25T00:00:00
db:	JVNDB	id:	JVNDB-2019-009700	date:	2019-09-27T00:00:00
db:	CNNVD	id:	CNNVD-201909-1109	date:	2019-09-25T00:00:00
db:	NVD	id:	CVE-2019-6654	date:	2019-09-25T19:15:10.767