Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-15321

When BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.2.1-11.5.6, BIG-IQ Centralized Management 5.0.0-5.4.0 or 4.6.0, BIG-IQ Cloud and Orchestration 1.0.0, iWorkflow 2.1.0-2.3.0, or Enterprise Manager 3.1.1 is licensed for Appliance Mode, Admin and Resource administrator roles can by-pass BIG-IP Appliance Mode restrictions to overwrite critical system files. Attackers of high privilege level are able to overwrite critical system files which bypasses security controls in place to limit TMSH commands. This is possible with an administrator or resource administrator roles when granted TMSH. Resource administrator roles must have TMSH access in order to perform this attack.

Published

2018-10-31T14:29:00.470

Last Modified

2024-11-21T03:50:33.440

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 4.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-269

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	f5	big-ip_local_traffic_manager	≤ 11.5.6	Yes
Application	f5	big-ip_local_traffic_manager	≤ 11.6.3.2	Yes
Application	f5	big-ip_local_traffic_manager	≤ 12.1.3.5	Yes
Application	f5	big-ip_local_traffic_manager	≤ 13.1.0.7	Yes
Application	f5	big-ip_local_traffic_manager	≤ 14.0.0.2	Yes
Application	f5	big-ip_advanced_firewall_manager	≤ 11.5.6	Yes
Application	f5	big-ip_advanced_firewall_manager	≤ 11.6.3.2	Yes
Application	f5	big-ip_advanced_firewall_manager	≤ 12.1.3.5	Yes
Application	f5	big-ip_advanced_firewall_manager	≤ 13.1.0.7	Yes
Application	f5	big-ip_advanced_firewall_manager	≤ 14.0.0.2	Yes
Application	f5	big-ip_application_acceleration_manager	≤ 11.5.6	Yes
Application	f5	big-ip_application_acceleration_manager	≤ 11.6.3.2	Yes
Application	f5	big-ip_application_acceleration_manager	≤ 12.1.3.5	Yes
Application	f5	big-ip_application_acceleration_manager	≤ 13.1.0.7	Yes
Application	f5	big-ip_application_acceleration_manager	≤ 14.0.0.2	Yes
Application	f5	big-ip_analytics	≤ 11.5.6	Yes
Application	f5	big-ip_analytics	≤ 11.6.3.2	Yes
Application	f5	big-ip_analytics	≤ 12.1.3.5	Yes
Application	f5	big-ip_analytics	≤ 13.1.0.7	Yes
Application	f5	big-ip_analytics	≤ 14.0.0.2	Yes
Application	f5	big-ip_access_policy_manager	≤ 11.5.6	Yes
Application	f5	big-ip_access_policy_manager	≤ 11.6.3.2	Yes
Application	f5	big-ip_access_policy_manager	≤ 12.1.3.5	Yes
Application	f5	big-ip_access_policy_manager	≤ 13.1.0.7	Yes
Application	f5	big-ip_access_policy_manager	≤ 14.0.0.2	Yes
Application	f5	big-ip_protocol_security_module	≤ 11.5.6	Yes
Application	f5	big-ip_protocol_security_module	≤ 11.6.3.2	Yes
Application	f5	big-ip_protocol_security_module	≤ 12.1.3.5	Yes
Application	f5	big-ip_protocol_security_module	≤ 13.1.0.7	Yes
Application	f5	big-ip_protocol_security_module	≤ 14.0.0.2	Yes
Application	f5	big-ip_domain_name_system	≤ 11.5.6	Yes
Application	f5	big-ip_domain_name_system	≤ 11.6.3.2	Yes
Application	f5	big-ip_domain_name_system	≤ 12.1.3.5	Yes
Application	f5	big-ip_domain_name_system	≤ 13.1.0.7	Yes
Application	f5	big-ip_domain_name_system	≤ 14.0.0.2	Yes
Application	f5	big-ip_edge_gateway	≤ 11.5.6	Yes
Application	f5	big-ip_edge_gateway	≤ 11.6.3.2	Yes
Application	f5	big-ip_edge_gateway	≤ 12.1.3.5	Yes
Application	f5	big-ip_edge_gateway	≤ 13.1.0.7	Yes
Application	f5	big-ip_edge_gateway	≤ 14.0.0.2	Yes
Application	f5	big-ip_fraud_protection_service	≤ 11.5.6	Yes
Application	f5	big-ip_fraud_protection_service	≤ 11.6.3.2	Yes
Application	f5	big-ip_fraud_protection_service	≤ 12.1.3.5	Yes
Application	f5	big-ip_fraud_protection_service	≤ 13.1.0.7	Yes
Application	f5	big-ip_fraud_protection_service	≤ 14.0.0.2	Yes
Application	f5	big-ip_global_traffic_manager	≤ 11.5.6	Yes
Application	f5	big-ip_global_traffic_manager	≤ 11.6.3.2	Yes
Application	f5	big-ip_global_traffic_manager	≤ 12.1.3.5	Yes
Application	f5	big-ip_global_traffic_manager	≤ 13.1.0.7	Yes
Application	f5	big-ip_global_traffic_manager	≤ 14.0.0.2	Yes
Application	f5	big-ip_link_controller	≤ 11.5.6	Yes
Application	f5	big-ip_link_controller	≤ 11.6.3.2	Yes
Application	f5	big-ip_link_controller	≤ 12.1.3.5	Yes
Application	f5	big-ip_link_controller	≤ 13.1.0.7	Yes
Application	f5	big-ip_link_controller	≤ 14.0.0.2	Yes
Application	f5	big-ip_policy_enforcement_manager	≤ 11.5.6	Yes
Application	f5	big-ip_policy_enforcement_manager	≤ 11.6.3.2	Yes
Application	f5	big-ip_policy_enforcement_manager	≤ 12.1.3.5	Yes
Application	f5	big-ip_policy_enforcement_manager	≤ 13.1.0.7	Yes
Application	f5	big-ip_policy_enforcement_manager	≤ 14.0.0.2	Yes
Application	f5	big-ip_webaccelerator	≤ 11.5.6	Yes
Application	f5	big-ip_webaccelerator	≤ 11.6.3.2	Yes
Application	f5	big-ip_webaccelerator	≤ 12.1.3.5	Yes
Application	f5	big-ip_webaccelerator	≤ 13.1.0.7	Yes
Application	f5	big-ip_webaccelerator	≤ 14.0.0.2	Yes
Application	f5	enterprise_manager	3.1.1	Yes
Application	f5	big-iq_centralized_management	≤ 5.4.0	Yes
Application	f5	big-iq_centralized_management	4.6.0	Yes
Application	f5	big-iq_cloud_and_orchestration	1.0.0	Yes
Application	f5	iworkflow	≤ 2.3.0	Yes

References

https://support.f5.com/csp/article/K01067037 Mitigation, Vendor Advisory ([email protected])
https://support.f5.com/csp/article/K01067037 Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)