CVE-2023-3470

Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. The predictable nature of the password allows an authenticated user with TMSH access to the BIG-IP system, or anyone with physical access to the FIPS HSM, the information required to generate the correct password. On vCMP systems, all Guests share the same deterministic password, allowing those with TMSH access on one Guest to access keys of a different Guest.

The following BIG-IP hardware platforms are affected: 10350v-F, i5820-DF, i7820-DF, i15820-DF, 5250v-F, 7200v-F, 10200v-F, 6900-F, 8900-F, 11000-F, and 11050-F.

The BIG-IP rSeries r5920-DF and r10920-DF are not affected, nor does the issue affect software FIPS implementations or network HSM configurations.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Weakness

The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.

Affected Software

Name	Vendor	Start Version	End Version
Big-ip_access_policy_manager	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_access_policy_manager	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_access_policy_manager	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_advanced_firewall_manager	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_advanced_firewall_manager	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_advanced_firewall_manager	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_advanced_web_application_firewall	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_advanced_web_application_firewall	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_advanced_web_application_firewall	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_analytics	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_analytics	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_analytics	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_application_acceleration_manager	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_application_acceleration_manager	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_application_acceleration_manager	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_application_security_manager	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_application_security_manager	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_application_security_manager	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_application_visibility_and_reporting	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_application_visibility_and_reporting	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_application_visibility_and_reporting	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_carrier-grade_nat	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_carrier-grade_nat	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_carrier-grade_nat	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_ddos_hybrid_defender	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_ddos_hybrid_defender	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_ddos_hybrid_defender	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_domain_name_system	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_domain_name_system	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_domain_name_system	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_edge_gateway	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_edge_gateway	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_edge_gateway	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_fraud_protection_service	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_fraud_protection_service	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_fraud_protection_service	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_global_traffic_manager	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_global_traffic_manager	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_global_traffic_manager	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_link_controller	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_link_controller	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_link_controller	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_local_traffic_manager	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_local_traffic_manager	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_local_traffic_manager	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_policy_enforcement_manager	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_policy_enforcement_manager	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_policy_enforcement_manager	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_ssl_orchestrator	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_ssl_orchestrator	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_ssl_orchestrator	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_webaccelerator	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_webaccelerator	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_webaccelerator	F5	15.1.0 (including)	15.1.0 (including)
Big-ip_websafe	F5	13.1.0 (including)	13.1.4 (excluding)
Big-ip_websafe	F5	14.1.0 (including)	14.1.4 (excluding)
Big-ip_websafe	F5	15.1.0 (including)	15.1.0 (including)

Extended Description

By design, authentication protocols try to ensure that attackers must perform brute force attacks if they do not know the credentials such as a key or password. However, when these credentials are easily predictable or even fixed (as with default or hard-coded passwords and keys), then the attacker can defeat the mechanism without relying on brute force. Credentials may be weak for different reasons, such as:

Even if a new, unique credential is intended to be generated for each product installation, if the generation is predictable, then that may also simplify guessing attacks.

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-3470
CWE	https://cwe.mitre.org/data/definitions/1391.html

Use of Weak Credentials

Weakness

Affected Software

Extended Description

References