Strix
26.1K

CVE-2019-6675

CRITICALCVSS 9.8/10EPSS 0.90%

Last modified

CVE-2019-6675 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. BIG-IP configurations using Active Directory, LDAP, or Client Certificate LDAP for management authentication with multiple servers are exposed to a vulnerability which allows an authentication bypass. This can result in a complete compromise of the system. EPSS estimates a 0.90% chance of exploitation in the next 30 days.

Description

BIG-IP configurations using Active Directory, LDAP, or Client Certificate LDAP for management authentication with multiple servers are exposed to a vulnerability which allows an authentication bypass. This can result in a complete compromise of the system. This issue only impacts specific engineering hotfixes using the aforementioned authentication configuration. NOTE: This vulnerability does not affect any of the BIG-IP major, minor or maintenance releases you obtained from downloads.f5.com. The affected Engineering Hotfix builds are as follows: Hotfix-BIGIP-14.1.0.3.0.79.6-ENG.iso, Hotfix-BIGIP-14.1.0.3.0.97.6-ENG.iso, Hotfix-BIGIP-14.1.0.3.0.99.6-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.15.5-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.36.5-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.40.5-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.11.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.14.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.68.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.70.9-ENG.iso, Hotfix-BIGIP-14.1.2.0.11.37-ENG.iso, Hotfix-BIGIP-14.1.2.0.18.37-ENG.iso, Hotfix-BIGIP-14.1.2.0.32.37-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.46.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.14.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.16.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.34.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.97.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.99.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.105.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.111.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.115.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.122.4-ENG.iso, Hotfix-BIGIP-15.0.1.0.33.11-ENG.iso, Hotfix-BIGIP-15.0.1.0.48.11-ENG.iso

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.90%

54.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
F5Big-Ip Link Controller>= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix
F5Big-Ip Link Controller14.1.0.3.0.79.6-eng_hotfix
F5Big-Ip Link Controller14.1.0.3.0.97.6-eng_hotfix
F5Big-Ip Link Controller14.1.0.3.0.99.6-eng_hotfix
F5Big-Ip Link Controller14.1.0.5.0.15.5-eng_hotfix
F5Big-Ip Link Controller14.1.0.5.0.36.5-eng_hotfix
F5Big-Ip Link Controller14.1.0.5.0.40.5-eng_hotfix
F5Big-Ip Link Controller14.1.0.6.0.11.9-eng_hotfix
F5Big-Ip Link Controller14.1.0.6.0.14.9-eng_hotfix
F5Big-Ip Link Controller14.1.0.6.0.68.9-eng_hotfix
F5Big-Ip Link Controller14.1.0.6.0.70.9-eng_hotfix
F5Big-Ip Link Controller14.1.2.0.11.37-eng_hotfix
F5Big-Ip Link Controller14.1.2.0.18.37-eng_hotfix
F5Big-Ip Link Controller14.1.2.0.32.37-eng_hotfix
F5Big-Ip Link Controller14.1.2.1.0.14.4-eng_hotfix
F5Big-Ip Link Controller14.1.2.1.0.16.4-eng_hotfix
F5Big-Ip Link Controller14.1.2.1.0.34.4-eng_hotfix
F5Big-Ip Link Controller14.1.2.1.0.46.4-eng_hotfix
F5Big-Ip Link Controller14.1.2.1.0.97.4-eng_hotfix
F5Big-Ip Link Controller14.1.2.1.0.99.4-eng_hotfix
F5Big-Ip Link Controller14.1.2.1.0.105.4-eng_hotfix
F5Big-Ip Link Controller14.1.2.1.0.111.4-eng_hotfix
F5Big-Ip Link Controller14.1.2.1.0.115.4-eng_hotfix
F5Big-Ip Link Controller14.1.2.1.0.122.4-eng_hotfix
F5Big-Ip Access Policy Manager>= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix
F5Big-Ip Access Policy Manager14.1.0.3.0.79.6-eng_hotfix
F5Big-Ip Access Policy Manager14.1.0.3.0.97.6-eng_hotfix
F5Big-Ip Access Policy Manager14.1.0.3.0.99.6-eng_hotfix
F5Big-Ip Access Policy Manager14.1.0.5.0.15.5-eng_hotfix
F5Big-Ip Access Policy Manager14.1.0.5.0.36.5-eng_hotfix
F5Big-Ip Access Policy Manager14.1.0.5.0.40.5-eng_hotfix
F5Big-Ip Access Policy Manager14.1.0.6.0.11.9-eng_hotfix
F5Big-Ip Access Policy Manager14.1.0.6.0.14.9-eng_hotfix
F5Big-Ip Access Policy Manager14.1.0.6.0.68.9-eng_hotfix
F5Big-Ip Access Policy Manager14.1.0.6.0.70.9-eng_hotfix
F5Big-Ip Access Policy Manager14.1.2.0.11.37-eng_hotfix
F5Big-Ip Access Policy Manager14.1.2.0.18.37-eng_hotfix
F5Big-Ip Access Policy Manager14.1.2.0.32.37-eng_hotfix
F5Big-Ip Access Policy Manager14.1.2.1.0.14.4-eng_hotfix
F5Big-Ip Access Policy Manager14.1.2.1.0.16.4-eng_hotfix
F5Big-Ip Access Policy Manager14.1.2.1.0.34.4-eng_hotfix
F5Big-Ip Access Policy Manager14.1.2.1.0.46.4-eng_hotfix
F5Big-Ip Access Policy Manager14.1.2.1.0.97.4-eng_hotfix
F5Big-Ip Access Policy Manager14.1.2.1.0.99.4-eng_hotfix
F5Big-Ip Access Policy Manager14.1.2.1.0.105.4-eng_hotfix
F5Big-Ip Access Policy Manager14.1.2.1.0.111.4-eng_hotfix
F5Big-Ip Access Policy Manager14.1.2.1.0.115.4-eng_hotfix
F5Big-Ip Access Policy Manager14.1.2.1.0.122.4-eng_hotfix
F5Big-Ip Advanced Firewall Manager>= 15.0.1.0.33.11-eng_hotfix, <= 15.0.1.0.48.11-eng_hotfix
F5Big-Ip Advanced Firewall Manager14.1.0.3.0.79.6-eng_hotfix

Showing 50 of 264 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-6675?
BIG-IP configurations using Active Directory, LDAP, or Client Certificate LDAP for management authentication with multiple servers are exposed to a vulnerability which allows an authentication bypass. This can result in a complete compromise of the system. This issue only impacts specific engineering hotfixes using the aforementioned authentication configuration. NOTE: This vulnerability does not affect any of the BIG-IP major, minor or maintenance releases you obtained from downloads.f5.com. The affected Engineering Hotfix builds are as follows: Hotfix-BIGIP-14.1.0.3.0.79.6-ENG.iso, Hotfix-BIGIP-14.1.0.3.0.97.6-ENG.iso, Hotfix-BIGIP-14.1.0.3.0.99.6-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.15.5-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.36.5-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.40.5-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.11.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.14.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.68.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.70.9-ENG.iso, Hotfix-BIGIP-14.1.2.0.11.37-ENG.iso, Hotfix-BIGIP-14.1.2.0.18.37-ENG.iso, Hotfix-BIGIP-14.1.2.0.32.37-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.46.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.14.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.16.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.34.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.97.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.99.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.105.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.111.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.115.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.122.4-ENG.iso, Hotfix-BIGIP-15.0.1.0.33.11-ENG.iso, Hotfix-BIGIP-15.0.1.0.48.11-ENG.iso
How severe is CVE-2019-6675?
CVE-2019-6675 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.90% probability of exploitation in the next 30 days.
How do I fix CVE-2019-6675?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-6675?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST