CVE-2018-5540
https://notcve.org/view.php?id=CVE-2018-5540
On F5 BIG-IP 13.0.0-13.0.1, 12.1.0-12.1.3.3, 11.6.0-11.6.3.1, or 11.5.1-11.5.6, Enterprise Manager 3.1.1, BIG-IQ Centralized Management 5.0.0-5.1.0, BIG-IQ Cloud and Orchestration 1.0.0, or F5 iWorkflow 2.1.0-2.3.0 the big3d process does not irrevocably minimize group privileges at start up. En F5 BIG-IP 13.0.0-13.0.1, 12.1.0-12.1.3.3, 11.6.0-11.6.3.1 o 11.5.1-11.5.6, Enterprise Manager 3.1.1, BIG-IQ Centralized Management 5.0.0-5.1.0, BIG-IQ Cloud and Orchestration 1.0.0 o F5 iWorkflow 2.1.0-2.3.0, el proceso big3d no no minimiza irrevocablemente los privilegios de grupo al arranque. • http://www.securityfocus.com/bid/104920 http://www.securitytracker.com/id/1041340 http://www.securitytracker.com/id/1041341 https://support.f5.com/csp/article/K82038789 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2018-5516
https://notcve.org/view.php?id=CVE-2018-5516
On F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.2, or 11.2.1-11.6.3.1, Enterprise Manager 3.1.1, BIG-IQ Centralized Management 5.0.0-5.4.0 or 4.6.0, BIG-IQ Cloud and Orchestration 1.0.0, or F5 iWorkflow 2.0.2-2.3.0, authenticated users granted TMOS Shell (tmsh) access can access objects on the file system which would normally be disallowed by tmsh restrictions. This allows for authenticated, low privileged attackers to exfiltrate objects on the file system which should not be allowed. En F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.2 o 11.2.1-11.6.3.1, Enterprise Manager 3.1.1, BIG-IQ Centralized Management 5.0.0-5.4.0 o 4.6.0, BIG-IQ Cloud and Orchestration 1.0.0 o F5 iWorkflow 2.0.2-2.3.0, los usuarios autenticados que tengan acceso TMOS Shell (tmsh) pueden acceder a objetos en el sistema de archivos a los que normalmente no tendrían acceso por las restricciones de tmsh. Esto permite que atacantes autenticados con bajos privilegios exfiltren objetos en el sistema de archivos, algo que no deberían poder hacer. • http://www.securitytracker.com/id/1040799 http://www.securitytracker.com/id/1040800 https://support.f5.com/csp/article/K37442533 • CWE-732: Incorrect Permission Assignment for Critical Resource •