CVE-2019-6609

CRITICAL

F5 Big-ip Local Traffic Manager - Insufficiently Protected Credentials

Title source: rule

Description

Platform dependent weakness. This issue only impacts iSeries platforms. On these platforms, in BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 14.0.0-14.1.0.1, 13.0.0-13.1.1.3, and 12.1.1 HF2-12.1.4, the secureKeyCapable attribute was not set which causes secure vault to not use the F5 hardware support to store the unit key. Instead the unit key is stored in plaintext on disk as would be the case for Z100 systems. Additionally this causes the unit key to be stored in UCS files taken on these platforms.

References (1)

[Vendor Advisory] https://support.f5.com/csp/article/K18535734

Scores

CVSS v3 9.8

EPSS 0.0047

EPSS Percentile 64.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-522

Status published

Affected Products (26)

f5/big-ip_local_traffic_manager < 12.1.4.1

f5/big-ip_local_traffic_manager

f5/big-ip_application_acceleration_manager < 12.1.4.1

f5/big-ip_application_acceleration_manager

f5/big-ip_advanced_firewall_manager < 12.1.4.1

f5/big-ip_advanced_firewall_manager

f5/big-ip_analytics < 12.1.4.1

f5/big-ip_analytics

f5/big-ip_access_policy_manager < 12.1.4.1

f5/big-ip_access_policy_manager

f5/big-ip_application_security_manager < 12.1.4.1

f5/big-ip_application_security_manager

f5/big-ip_domain_name_system < 12.1.4.1

f5/big-ip_domain_name_system

f5/big-ip_edge_gateway < 12.1.4.1

... and 11 more

Timeline

Published Apr 15, 2019

Tracked Since Feb 18, 2026