Sign-up

ID

VAR-202009-1232


CVE

CVE-2020-5929


TITLE

plural  BIG-IP  Product vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-011966

DESCRIPTION

In versions 13.0.0-13.0.0 HF2, 12.1.0-12.1.2 HF1, and 11.6.1-11.6.2, BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a Virtual Server configured with a Client SSL profile, and using Anonymous (ADH) or Ephemeral (DHE) Diffie-Hellman key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/TLS Handshakes that may result with a PMS (Pre-Master Secret) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Similar error messages when PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability. plural BIG-IP The product contains unspecified vulnerabilities.Information may be obtained. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. Configuration utility is one of the configuration utilities. A security vulnerability exists in the F5 BIG-IP. The vulnerability originates from SSL/TLS ADH/DHE. An attacker could exploit this vulnerability to bypass access restrictions on data

Trust: 1.71

sources: NVD: CVE-2020-5929 // JVNDB: JVNDB-2020-011966 // VULHUB: VHN-184054

AFFECTED PRODUCTS

vendor:f5model:big-ip local traffic managerscope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip analyticsscope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:ssl orchestratorscope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:ssl orchestratorscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:ssl orchestratorscope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip analyticsscope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip link controllerscope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:ssl orchestratorscope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:ssl orchestratorscope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:ltversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip link controllerscope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip link controllerscope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip analyticsscope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:ssl orchestratorscope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:ssl orchestratorscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:eqversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:eqversion:11.6.2

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:12.1.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced firewall managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced web application firewallscope: - version: -

Trust: 0.8

vendor:f5model:big-ip analyticsscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application acceleration managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application security managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip ddos hybrid defenderscope: - version: -

Trust: 0.8

vendor:f5model:big-ip domain name systemscope: - version: -

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope: - version: -

Trust: 0.8

vendor:f5model:big-ip global traffic managerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-011966 // NVD: CVE-2020-5929

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-5929
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-5929
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202009-590
value: MEDIUM

Trust: 0.6

VULHUB: VHN-184054
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-5929
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-184054
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-5929
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-5929
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-184054 // JVNDB: JVNDB-2020-011966 // CNNVD: CNNVD-202009-590 // NVD: CVE-2020-5929

PROBLEMTYPE DATA

problemtype:CWE-203

Trust: 1.1

problemtype:Lack of information (CWE-noinfo) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-184054 // JVNDB: JVNDB-2020-011966 // NVD: CVE-2020-5929

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-590

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202009-590

PATCH

title:K91158923url:https://support.f5.com/csp/article/K91158923

Trust: 0.8

title:F5 BIG-IP Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=128045

Trust: 0.6

sources: JVNDB: JVNDB-2020-011966 // CNNVD: CNNVD-202009-590

EXTERNAL IDS

db:NVDid:CVE-2020-5929

Trust: 2.5

db:JVNDBid:JVNDB-2020-011966

Trust: 0.8

db:CNNVDid:CNNVD-202009-590

Trust: 0.7

db:AUSCERTid:ESB-2020.3101.2

Trust: 0.6

db:AUSCERTid:ESB-2020.3101

Trust: 0.6

db:VULHUBid:VHN-184054

Trust: 0.1

sources: VULHUB: VHN-184054 // JVNDB: JVNDB-2020-011966 // CNNVD: CNNVD-202009-590 // NVD: CVE-2020-5929

REFERENCES

url:https://support.f5.com/csp/article/k91158923

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-5929

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2020.3101.2/

Trust: 0.6

url:https://vigilance.fr/vulnerability/f5-big-ip-information-disclosure-via-ssl-tls-adh-dhe-33290

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3101/

Trust: 0.6

sources: VULHUB: VHN-184054 // JVNDB: JVNDB-2020-011966 // CNNVD: CNNVD-202009-590 // NVD: CVE-2020-5929

SOURCES

db:VULHUBid:VHN-184054
db:JVNDBid:JVNDB-2020-011966
db:CNNVDid:CNNVD-202009-590
db:NVDid:CVE-2020-5929

LAST UPDATE DATE

2024-11-23T22:25:21.797000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-184054date:2021-07-21T00:00:00
db:JVNDBid:JVNDB-2020-011966date:2021-04-20T08:27:00
db:CNNVDid:CNNVD-202009-590date:2020-10-09T00:00:00
db:NVDid:CVE-2020-5929date:2024-11-21T05:34:50.820

SOURCES RELEASE DATE

db:VULHUBid:VHN-184054date:2020-09-25T00:00:00
db:JVNDBid:JVNDB-2020-011966date:2021-04-20T00:00:00
db:CNNVDid:CNNVD-202009-590date:2020-09-09T00:00:00
db:NVDid:CVE-2020-5929date:2020-09-25T14:15:13.970