A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error messages. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Weakness
The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Big-ip_access_policy_manager | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_advanced_firewall_manager | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_advanced_web_application_firewall | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_analytics | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_application_acceleration_manager | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_application_security_manager | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_application_visibility_and_reporting | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_automation_toolchain | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_carrier-grade_nat | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_container_ingress_services | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_ddos_hybrid_defender | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_domain_name_system | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_edge_gateway | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_fraud_protection_service | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_global_traffic_manager | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_link_controller | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_local_traffic_manager | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_policy_enforcement_manager | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_ssl_orchestrator | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_webaccelerator | F5 | 16.1.0 (including) | 16.1.6 (including) |
| Big-ip_websafe | F5 | 16.1.0 (including) | 16.1.6 (including) |
Extended Description
If an attacker can cause the UI to display erroneous data, or to otherwise convince the user to display information that appears to come from a trusted source, then the attacker could trick the user into performing the wrong action. This is often a component in phishing attacks, but other kinds of problems exist. For example, if the UI is used to monitor the security state of a system or network, then omitting or obscuring an important indicator could prevent the user from detecting and reacting to a security-critical event. UI misrepresentation can take many forms:
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/154.html
- https://cwe.mitre.org/data/definitions/163.html
- https://cwe.mitre.org/data/definitions/164.html
- https://cwe.mitre.org/data/definitions/173.html
- https://cwe.mitre.org/data/definitions/98.html