Vulnerabilities > CVE-2020-5879 - Missing Encryption of Sensitive Data vulnerability in F5 Big-Ip Application Security Manager

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

CWE-311

nessus

NVD

Published: 2020-04-30

Updated: 2021-07-21

Summary

On BIG-IP ASM 11.6.1-11.6.5.1, under certain configurations, the BIG-IP system sends data plane traffic to back-end servers unencrypted, even when a Server SSL profile is applied.

Vulnerable Configurations

Part	Description	Count
Application	F5 F5 BIG IP Application Security Manager 11.6.1 F5 BIG IP Application Security Manager 11.6.2 F5 BIG IP Application Security Manager 11.6.3 F5 BIG IP Application Security Manager 11.6.3.1 F5 BIG IP Application Security Manager 11.6.3.2 F5 BIG IP Application Security Manager 11.6.3.3 F5 BIG IP Application Security Manager 11.6.3.4 F5 BIG IP Application Security Manager 11.6.4 F5 BIG IP Application Security Manager 11.6.5 F5 BIG IP Application Security Manager 11.6.5.1	11

Common Weakness Enumeration (CWE)

CWE-311 - Missing Encryption of Sensitive Data

Common Attack Pattern Enumeration and Classification (CAPEC)

Interception
An attacker monitors data streams to or from a target in order to gather information. This attack may be undertaken to gather information to support a later attack or the data collected may be the end goal of the attack. This attack usually involves sniffing network traffic, but may include observing other types of data streams, such as radio. In most varieties of this attack, the attacker is passive and simply observes regular communication, however in some variants the attacker may attempt to initiate the establishment of a data stream or influence the nature of the data transmitted. However, in all variants of this attack, and distinguishing this attack from other data collection methods, the attacker is not the intended recipient of the data stream. Unlike some other data leakage attacks, the attacker is observing explicit data channels (e.g. network traffic) and reading the content. This differs from attacks that collect more qualitative information, such as communication volume, or other information not explicitly communicated via a data stream.
Screen Temporary Files for Sensitive Information
An attacker exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an attacker might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the attacker could recover this from the web cache.
Sniffing Attacks
An attacker monitors information transmitted between logical or physical nodes of a network. The attacker need not be able to prevent reception or change content but must simply be able to observe and read the traffic. The attacker might precipitate or indirectly influence the content of the observed transaction, but the attacker is never the intended recipient of the information. Any transmission medium can theoretically be sniffed if the attacker can listen to the contents between the sender and recipient.
Sniffing Network Traffic
An attacker monitoring network traffic between nodes of a public or multicast network. The attacker need not be able to prevent reception or change content but must simply be able to observe and read the traffic. The attacker might precipitate or indirectly influence the content of the observed transaction, but the attacker is never the intended recipient of the information. This differs from other sniffing attacks in that it is over a public network rather via some other communications channel, such as radio.
Lifting Sensitive Data from the Client
An attacker examines an available client application for the presence of sensitive information. This information may be stored in configuration files, embedded within the application itself, or stored in other ways. Sensitive information may include long-term keys, passwords, credit card or financial information, and other private material that the client uses in its interactions with the server. While servers are (hopefully) protected with professional security administrators, most users may be less skilled at protecting their clients. As a result, the user client may represent a weak link that an attacker can exploit. If an attacker can gain access to a client installation, they may be able to detect and lift sensitive information that could be used directly (such as financial information), or allow the attacker to subvert future communication between the client and the server. In some cases, it may not even be necessary to gain access to another user's installation - if all instances of the client software are embedded with the same sensitive information (for example, long term keys for communication with the server) then the attacker must simply find a way to gain their own copy of the client in order to perform this attack.

Nessus

NASL family	F5 Networks Local Security Checks
NASL id	F5_BIGIP_SOL88474783.NASL
description	Under certain configurations, the BIG-IP system sends data plane traffic to back-end servers unencrypted, even when a Server SSL profile is applied. (CVE-2020-5879) Impact The affected system sends some requests to the back-end server without encryption, possibly leaking sensitive data. Therequests affected by this vulnerability are processed by a virtual server associated with a DoS profile that has a CAPTCHA challenge configured.
last seen	2020-05-09
modified	2020-04-30
plugin id	136146
published	2020-04-30
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136146
title	F5 Networks BIG-IP : BIG-IP DoS profile vulnerability (K88474783)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from F5 Networks BIG-IP Solution K88474783. # # The text description of this plugin is (C) F5 Networks. # include("compat.inc"); if (description) { script_id(136146); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/22"); script_cve_id("CVE-2020-5879"); script_name(english:"F5 Networks BIG-IP : BIG-IP DoS profile vulnerability (K88474783)"); script_summary(english:"Checks the BIG-IP version."); script_set_attribute( attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch." ); script_set_attribute( attribute:"description", value: "Under certain configurations, the BIG-IP system sends data plane traffic to back-end servers unencrypted, even when a Server SSL profile is applied. (CVE-2020-5879) Impact The affected system sends some requests to the back-end server without encryption, possibly leaking sensitive data. Therequests affected by this vulnerability are processed by a virtual server associated with a DoS profile that has a CAPTCHA challenge configured." ); script_set_attribute( attribute:"see_also", value:"https://support.f5.com/csp/article/K88474783" ); script_set_attribute( attribute:"solution", value: "Upgrade to one of the non-vulnerable versions listed in the F5 Solution K88474783." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-5879"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"F5 Networks Local Security Checks"); script_dependencies("f5_bigip_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version"); exit(0); } include("f5_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); version = get_kb_item("Host/BIG-IP/version"); if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP"); if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix"); if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules"); sol = "K88474783"; vmatrix = make_array(); # ASM vmatrix["ASM"] = make_array(); vmatrix["ASM"]["affected" ] = make_list("11.6.1-11.6.5"); vmatrix["ASM"]["unaffected"] = make_list("12.0.0","11.6.5.2"); if (bigip_is_affected(vmatrix:vmatrix, sol:sol)) { if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get()); else security_warning(0); exit(0); } else { tested = bigip_get_tested_modules(); audit_extra = "For BIG-IP module(s) " + tested + ","; if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version); else audit(AUDIT_HOST_NOT, "running the affected module ASM"); }

References

https://support.f5.com/csp/article/K88474783