Details of VAR-201909-0134

ID

VAR-201909-0134

CVE

CVE-2019-6644

TITLE

plural BIG-IP Authorization vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-009068

DESCRIPTION

Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the port is accessible. plural BIG-IP The product contains an authorization vulnerability. This vulnerability CVE-2018-12120 Is the same vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. F5 BIG-IP AFM, etc. are all products of F5 Company in the United States. F5 BIG-IP AFM is an advanced firewall product used to protect against DDos attacks. F5 BIG-IP Analytics is a suite of web application performance analysis software. F5 BIG-IP ASM, a web application firewall (WAF), has security vulnerabilities in several F5 products. An attacker could exploit this vulnerability to execute code. The following products and versions are affected: F5 BIG-IP LTM Version 14.1.0, Version 14.0.0, Version 13.0.0 to Version 13.1.2, Version 12.1.3 to Version 12.1.4; BIG-IP AAM Version 14.1.0 , Version 14.0.0, Version 13.0.0 to Version 13.1.2, Version 12.1.3 to Version 12.1.4; BIG-IP AFM Version 14.1.0, Version 14.0.0, Version 13.0.0 to Version 13.1.2, 12.1.3 to 12.1.4; BIG-IP Analytics 14.1.0, 14.0.0, 13.0.0 to 13.1.2, 12.1.3 to 12.1.4; BIG-IP APM 14.1. 0, 14.0.0, 13.0.0 to 13.1.2, 12.1.3 to 12.1.4; BIG-IP ASM 14.1.0, 14.0.0, 13.0.0 to 13.1.2 Versions, 12.1.3 to 12.1.4; BIG-IP DNS 14.1.0, 14.0.0, 13.0.0 to 13.1.2, 12.1.3 to 12.1.4; BIG-IP Edge Gateway 14.1.0, 14.0.0, 13.0.0 to 13.1.2, 12.1.3 to 12.1.4; BIG-IP FPS 14.1.0, 14.0.0, 13.0.0 to Version 13.1.2, Version 12.1.3 to Version 12.1.4; BIG-IP GTM Version 14.1.0, Version 14.0.0, Version 13.0.0 to Version 13.1.2, Version 12.1.3 to Version 12.1

Trust: 1.8

sources: NVD: CVE-2019-6644 // JVNDB: JVNDB-2019-009068 // VULHUB: VHN-158079 // VULMON: CVE-2019-6644

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	13.1.2	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	13.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	13.1.2	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	13.1.2	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	13.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	13.1.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	13.1.2	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	13.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	13.1.2	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	13.1.2	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	13.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	13.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	13.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip edge gateway	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip global traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip local traffic manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-009068 // NVD: CVE-2019-6644

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6644
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-6644
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201908-647
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-158079
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2019-6644
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-6644
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-158079
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6644
baseSeverity:	CRITICAL
baseScore:	9.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	5.5
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6644
baseSeverity:	CRITICAL
baseScore:	9.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-158079 // VULMON: CVE-2019-6644 // JVNDB: JVNDB-2019-009068 // CNNVD: CNNVD-201908-647 // NVD: CVE-2019-6644

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-285	Trust: 0.9

sources: VULHUB: VHN-158079 // JVNDB: JVNDB-2019-009068 // NVD: CVE-2019-6644

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-647

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201908-647

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-009068

PATCH

title:	K75532331	url:	https://support.f5.com/csp/article/K75532331	Trust: 0.8
title:	Multiple F5 Product security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96350	Trust: 0.6

sources: JVNDB: JVNDB-2019-009068 // CNNVD: CNNVD-201908-647

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6644	Trust: 2.6
db:	JVNDB	id:	JVNDB-2019-009068	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-647	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3052	Trust: 0.6
db:	VULHUB	id:	VHN-158079	Trust: 0.1
db:	VULMON	id:	CVE-2019-6644	Trust: 0.1

sources: VULHUB: VHN-158079 // VULMON: CVE-2019-6644 // JVNDB: JVNDB-2019-009068 // CNNVD: CNNVD-201908-647 // NVD: CVE-2019-6644

REFERENCES

url:	https://support.f5.com/csp/article/k75532331	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6644	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6644	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.3052/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-code-execution-via-iruleslx-debug-nodejs-29993	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-158079 // VULMON: CVE-2019-6644 // JVNDB: JVNDB-2019-009068 // CNNVD: CNNVD-201908-647 // NVD: CVE-2019-6644

SOURCES

db:	VULHUB	id:	VHN-158079
db:	VULMON	id:	CVE-2019-6644
db:	JVNDB	id:	JVNDB-2019-009068
db:	CNNVD	id:	CNNVD-201908-647
db:	NVD	id:	CVE-2019-6644

LAST UPDATE DATE

2024-11-23T20:17:19.410000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158079	date:	2020-08-24T00:00:00
db:	VULMON	id:	CVE-2019-6644	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-009068	date:	2019-09-11T00:00:00
db:	CNNVD	id:	CNNVD-201908-647	date:	2020-08-25T00:00:00
db:	NVD	id:	CVE-2019-6644	date:	2024-11-21T04:46:52.253

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158079	date:	2019-09-04T00:00:00
db:	VULMON	id:	CVE-2019-6644	date:	2019-09-04T00:00:00
db:	JVNDB	id:	JVNDB-2019-009068	date:	2019-09-11T00:00:00
db:	CNNVD	id:	CNNVD-201908-647	date:	2019-08-09T00:00:00
db:	NVD	id:	CVE-2019-6644	date:	2019-09-04T17:15:11.520