CVE-2017-6144

Severity Score

7.4

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In F5 BIG-IP PEM 12.1.0 through 12.1.2 when downloading the Type Allocation Code (TAC) database file via HTTPS, the server's certificate is not verified. Attackers in a privileged network position may be able to launch a man-in-the-middle attack against these connections. TAC databases are used in BIG-IP PEM for Device Type and OS (DTOS) and Tethering detection. Customers not using BIG-IP PEM, not configuring downloads of TAC database files, or not using HTTP for that download are not affected.

En F5 BIG-IP PEM 12.1.0 hasta la versión 12.1.2, al descargar el archivo de base de datos Type Allocation Code (TAC) mediante HTTPS, el certificado del servidor no se verifica. Atacantes en una posición privilegiada de la red podrían ser capaces de lanzar un ataque Man-in-the-Middle (MitM) contra estas conexiones. Las bases de datos TAC se emplean en BIG-IP PEM para la detección de tipo de dispositivo y sistema operativo (DTOS) y Tethering. Los clientes que no emplean BIG-IP PEM, no configuran descargas de archivos de base de datos TAC o que no empleen HTTP para esa descarga no están afectados.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-02-21 CVE Reserved
2017-10-20 CVE Published
2023-05-08 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-295: Improper Certificate Validation

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://support.f5.com/csp/article/K81601350	2017-11-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
F5 Search vendor "F5"		Big-ip Policy Enforcement Manager Search vendor "F5" for product "Big-ip Policy Enforcement Manager"				12.1.0 Search vendor "F5" for product "Big-ip Policy Enforcement Manager" and version "12.1.0"		-		Affected
F5 Search vendor "F5"		Big-ip Policy Enforcement Manager Search vendor "F5" for product "Big-ip Policy Enforcement Manager"				12.1.1 Search vendor "F5" for product "Big-ip Policy Enforcement Manager" and version "12.1.1"		-		Affected
F5 Search vendor "F5"		Big-ip Policy Enforcement Manager Search vendor "F5" for product "Big-ip Policy Enforcement Manager"				12.1.2 Search vendor "F5" for product "Big-ip Policy Enforcement Manager" and version "12.1.2"		-		Affected