Vulnerabilities > CVE-2017-6156 - Unspecified vulnerability in F5 products

047910
CVSS 6.4 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
LOW
Integrity impact
LOW
Availability impact
HIGH
network
high complexity
f5
nessus

Summary

When the F5 BIG-IP 12.1.0-12.1.1, 11.6.0-11.6.1, 11.5.1-11.5.5, or 11.2.1 system is configured with a wildcard IPSec tunnel endpoint, it may allow a remote attacker to disrupt or impersonate the tunnels that have completed phase 1 IPSec negotiations. The attacker must possess the necessary credentials to negotiate the phase 1 of the IPSec exchange to exploit this vulnerability; in many environment this limits the attack surface to other endpoints under the same administration.

Vulnerable Configurations

Part Description Count
Application
F5
219

Nessus

NASL familyF5 Networks Local Security Checks
NASL idF5_BIGIP_SOL05263202.NASL
descriptionWhen the BIG-IP system is configured with a wildcard IPsec tunnel endpoint, it may allow a remote attacker to disrupt or impersonate the tunnels that have completed phase 1 IPsec negotiations. The attacker must possess the necessary credentials to negotiate the phase 1 of the IPsec exchange to exploit this vulnerability; in many environments, this limits the attack surface to other endpoints under the same administration. (CVE-2017-6156) Impact A remote attacker may be able to disrupt or impersonate the tunnels that have completed phase 1 IPsec negotiations.
last seen2020-03-17
modified2018-11-02
plugin id118623
published2018-11-02
reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/118623
titleF5 Networks BIG-IP : BIG-IP IPsec tunnel endpoint vulnerability (K05263202)
code
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from F5 Networks BIG-IP Solution K05263202.
#
# The text description of this plugin is (C) F5 Networks.
#

include("compat.inc");

if (description)
{
  script_id(118623);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/09");

  script_cve_id("CVE-2017-6156");

  script_name(english:"F5 Networks BIG-IP : BIG-IP IPsec tunnel endpoint vulnerability (K05263202)");
  script_summary(english:"Checks the BIG-IP version.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote device is missing a vendor-supplied security patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"When the BIG-IP system is configured with a wildcard IPsec tunnel
endpoint, it may allow a remote attacker to disrupt or impersonate the
tunnels that have completed phase 1 IPsec negotiations. The attacker
must possess the necessary credentials to negotiate the phase 1 of the
IPsec exchange to exploit this vulnerability; in many environments,
this limits the attack surface to other endpoints under the same
administration. (CVE-2017-6156)

Impact

A remote attacker may be able to disrupt or impersonate the tunnels
that have completed phase 1 IPsec negotiations."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://support.f5.com/csp/article/K05263202"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade to one of the non-vulnerable versions listed in the F5
Solution K05263202."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/04/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/02");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"F5 Networks Local Security Checks");

  script_dependencies("f5_bigip_detect.nbin");
  script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version");

  exit(0);
}


include("f5_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
version = get_kb_item("Host/BIG-IP/version");
if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");

sol = "K05263202";
vmatrix = make_array();

# AFM
vmatrix["AFM"] = make_array();
vmatrix["AFM"]["affected"  ] = make_list("12.1.0-12.1.1","11.6.1","11.5.1-11.5.5","11.2.1");
vmatrix["AFM"]["unaffected"] = make_list("13.0.0","12.1.2","11.6.1HF2","11.5.6");

# AM
vmatrix["AM"] = make_array();
vmatrix["AM"]["affected"  ] = make_list("12.1.0-12.1.1","11.6.1","11.5.1-11.5.5","11.2.1");
vmatrix["AM"]["unaffected"] = make_list("13.0.0","12.1.2","11.6.1HF2","11.5.6");

# APM
vmatrix["APM"] = make_array();
vmatrix["APM"]["affected"  ] = make_list("12.1.0-12.1.1","11.6.1","11.5.1-11.5.5","11.2.1");
vmatrix["APM"]["unaffected"] = make_list("13.0.0","12.1.2","11.6.1HF2","11.5.6");

# ASM
vmatrix["ASM"] = make_array();
vmatrix["ASM"]["affected"  ] = make_list("12.1.0-12.1.1","11.6.1","11.5.1-11.5.5","11.2.1");
vmatrix["ASM"]["unaffected"] = make_list("13.0.0","12.1.2","11.6.1HF2","11.5.6");

# AVR
vmatrix["AVR"] = make_array();
vmatrix["AVR"]["affected"  ] = make_list("12.1.0-12.1.1","11.6.1","11.5.1-11.5.5","11.2.1");
vmatrix["AVR"]["unaffected"] = make_list("13.0.0","12.1.2","11.6.1HF2","11.5.6");

# GTM
vmatrix["GTM"] = make_array();
vmatrix["GTM"]["affected"  ] = make_list("12.1.0-12.1.1","11.6.1","11.5.1-11.5.5","11.2.1");
vmatrix["GTM"]["unaffected"] = make_list("13.0.0","12.1.2","11.6.1HF2","11.5.6");

# LC
vmatrix["LC"] = make_array();
vmatrix["LC"]["affected"  ] = make_list("12.1.0-12.1.1","11.6.1","11.5.1-11.5.5","11.2.1");
vmatrix["LC"]["unaffected"] = make_list("13.0.0","12.1.2","11.6.1HF2","11.5.6");

# LTM
vmatrix["LTM"] = make_array();
vmatrix["LTM"]["affected"  ] = make_list("12.1.0-12.1.1","11.6.1","11.5.1-11.5.5","11.2.1");
vmatrix["LTM"]["unaffected"] = make_list("13.0.0","12.1.2","11.6.1HF2","11.5.6");

# PEM
vmatrix["PEM"] = make_array();
vmatrix["PEM"]["affected"  ] = make_list("12.1.0-12.1.1","11.6.1","11.5.1-11.5.5","11.2.1");
vmatrix["PEM"]["unaffected"] = make_list("13.0.0","12.1.2","11.6.1HF2","11.5.6");

# WAM
vmatrix["WAM"] = make_array();
vmatrix["WAM"]["affected"  ] = make_list("12.1.0-12.1.1","11.6.1","11.5.1-11.5.5","11.2.1");
vmatrix["WAM"]["unaffected"] = make_list("13.0.0","12.1.2","11.6.1HF2","11.5.6");


if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
{
  if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = bigip_get_tested_modules();
  audit_extra = "For BIG-IP module(s) " + tested + ",";
  if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
  else audit(AUDIT_HOST_NOT, "running any of the affected modules");
}