CVE Vulnerabilities

CVE-2019-6609

Insufficiently Protected Credentials

Published: Apr 15, 2019 | Modified: Aug 24, 2020
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu

Platform dependent weakness. This issue only impacts iSeries platforms. On these platforms, in BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 14.0.0-14.1.0.1, 13.0.0-13.1.1.3, and 12.1.1 HF2-12.1.4, the secureKeyCapable attribute was not set which causes secure vault to not use the F5 hardware support to store the unit key. Instead the unit key is stored in plaintext on disk as would be the case for Z100 systems. Additionally this causes the unit key to be stored in UCS files taken on these platforms.

Weakness

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Affected Software

Name Vendor Start Version End Version
Big-ip_local_traffic_manager F5 12.1.2 (including) 12.1.4.1 (excluding)
Big-ip_local_traffic_manager F5 13.0.0 (including) 13.1.1.4 (excluding)
Big-ip_local_traffic_manager F5 14.0.0 (including) 14.1.0.2 (excluding)
Big-ip_local_traffic_manager F5 12.1.1-hf2 (including) 12.1.1-hf2 (including)

Potential Mitigations

References