Details of VAR-202003-1563

ID

VAR-202003-1563

CVE

CVE-2020-5860

TITLE

BIG-IP and BIG-IQ Cryptographic strength vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003527

DESCRIPTION

On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, in a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not require a strong form of authentication and HA network failover traffic is not encrypted by Transport Layer Security (TLS). BIG-IP and BIG-IQ There is a cryptographic strength vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Both F5 BIG-IP and F5 BIG-IQ are products of the US company F5. F5 BIG-IP is an application delivery platform that integrates functions such as network traffic management, application security management, and load balancing. F5 BIG-IQ is a software-based cloud management solution. The solution supports the deployment of application delivery and network services across public and private clouds, traditional data centers and hybrid environments. An attacker could exploit this vulnerability by implementing a man-in-the-middle attack to gain access to unencrypted HA network failover traffic. The following products and versions are affected: F5 BIG-IP 15.0.0 to 15.1.0.2, 14.1.0 to 14.1.2.3, 13.1.0 to 13.1.3.2, 12.1.0 to 12.1.5.1 , version 11.5.2 to version 11.6.5.1; BIG-IQ version 7.0.0, version 6.0.0 to version 6.1.0, version 5.2.0 to version 5.4.0

Trust: 1.71

sources: NVD: CVE-2020-5860 // JVNDB: JVNDB-2020-003527 // VULHUB: VHN-183985

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	lte	version:	5.4.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	eq	version:	7.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	lte	version:	6.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	gte	version:	5.2.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip domain name system	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip global traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip local traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip policy enforcement manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-iq centralized management	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-003527 // NVD: CVE-2020-5860

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-5860
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-003527
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202003-1654
value:	HIGH
Trust: 0.6
VULHUB:	VHN-183985
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-5860
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-003527
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-183985
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-5860
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-003527
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-183985 // JVNDB: JVNDB-2020-003527 // CNNVD: CNNVD-202003-1654 // NVD: CVE-2020-5860

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.1
problemtype:	CWE-319	Trust: 1.1
problemtype:	CWE-326	Trust: 0.9

sources: VULHUB: VHN-183985 // JVNDB: JVNDB-2020-003527 // NVD: CVE-2020-5860

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1654

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-202003-1654

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-003527

PATCH

title:

K67472032

url:

https://support.f5.com/csp/article/K67472032

Trust: 0.8

sources: JVNDB: JVNDB-2020-003527

EXTERNAL IDS

db:	NVD	id:	CVE-2020-5860	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-003527	Trust: 0.8
db:	CNNVD	id:	CNNVD-202003-1654	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.1077.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1077	Trust: 0.6
db:	CNVD	id:	CNVD-2020-37906	Trust: 0.1
db:	VULHUB	id:	VHN-183985	Trust: 0.1

sources: VULHUB: VHN-183985 // JVNDB: JVNDB-2020-003527 // CNNVD: CNNVD-202003-1654 // NVD: CVE-2020-5860

REFERENCES

url:	https://support.f5.com/csp/article/k67472032	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-5860	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5860	Trust: 0.8
url:	https://vigilance.fr/vulnerability/f5-big-ip-man-in-the-middle-via-ha-network-failover-31894	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1077.2/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1077/	Trust: 0.6

sources: VULHUB: VHN-183985 // JVNDB: JVNDB-2020-003527 // CNNVD: CNNVD-202003-1654 // NVD: CVE-2020-5860

SOURCES

db:	VULHUB	id:	VHN-183985
db:	JVNDB	id:	JVNDB-2020-003527
db:	CNNVD	id:	CNNVD-202003-1654
db:	NVD	id:	CVE-2020-5860

LAST UPDATE DATE

2024-11-23T22:25:34.182000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-183985	date:	2021-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2020-003527	date:	2020-04-17T00:00:00
db:	CNNVD	id:	CNNVD-202003-1654	date:	2020-05-19T00:00:00
db:	NVD	id:	CVE-2020-5860	date:	2024-11-21T05:34:43.177

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-183985	date:	2020-03-27T00:00:00
db:	JVNDB	id:	JVNDB-2020-003527	date:	2020-04-17T00:00:00
db:	CNNVD	id:	CNNVD-202003-1654	date:	2020-03-27T00:00:00
db:	NVD	id:	CVE-2020-5860	date:	2020-03-27T15:15:12.443