CVE-2023-3470
BIG-IP FIPS HSM password vulnerability CVE-2023-3470
Severity Score
6.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. The predictable nature of the password allows an authenticated user with TMSH access to the BIG-IP system, or anyone with physical access to the FIPS HSM, the information required to generate the correct password. On vCMP systems, all Guests share the same deterministic password, allowing those with TMSH access on one Guest to access keys of a different Guest.
The following BIG-IP hardware platforms are affected: 10350v-F, i5820-DF, i7820-DF, i15820-DF, 5250v-F, 7200v-F, 10200v-F, 6900-F, 8900-F, 11000-F, and 11050-F.
The BIG-IP rSeries r5920-DF and r10920-DF are not affected, nor does the issue affect software FIPS implementations or network HSM configurations.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Las plataformas F5 BIG-IP específicas con tarjetas Cavium Nitrox FIPS HSM generan una contraseña determinista para la cuenta Crypto User. La naturaleza predecible de la contraseña permite a un usuario autenticado con acceso TMSH al sistema BIG-IP, o a cualquiera con acceso físico al FIPS HSM, la información necesaria para generar la contraseña correcta. En los sistemas vCMP, todos los Guests comparten la misma contraseña determinista, lo que permite a aquellos con acceso TMSH en un Guest acceder a las claves de otro Guest diferente. Están afectadas las siguientes plataformas de hardware BIG-IP: 10350v-F, i5820-DF, i7820-DF, i15820-DF, 5250v-F, 7200v-F, 10200v-F, 6900-F, 8900-F, 11000-F, and 11050-F. Los sistemas BIG-IP rSeries r5920-DF y r10920-DF no se ven afectados y el problema tampoco afecta a las implementaciones FIPS de software ni a las configuraciones HSM de red. Nota: No se evalúan las versiones de software que han alcanzado el fin del soporte técnico (EoTS).
*Credits:
F5
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-06-30 CVE Reserved
- 2023-08-02 CVE Published
- 2024-08-02 CVE Updated
- 2024-09-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
- CWE-1391: Use of Weak Credentials
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://my.f5.com/manage/s/article/K000135449 | 2023-10-13 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| F5 Search vendor "F5" | Big-ip 10350v-f Firmware Search vendor "F5" for product "Big-ip 10350v-f Firmware" | - | - |
Affected
| in | F5 Search vendor "F5" | Big-ip 10350v-f Search vendor "F5" for product "Big-ip 10350v-f" | - | - |
Safe
|
| F5 Search vendor "F5" | Big-ip I5820-df Firmware Search vendor "F5" for product "Big-ip I5820-df Firmware" | - | - |
Affected
| in | F5 Search vendor "F5" | Big-ip I5820-df Search vendor "F5" for product "Big-ip I5820-df" | - | - |
Safe
|
| F5 Search vendor "F5" | Big-ip I7820-df Firmware Search vendor "F5" for product "Big-ip I7820-df Firmware" | - | - |
Affected
| in | F5 Search vendor "F5" | Big-ip I7820-df Search vendor "F5" for product "Big-ip I7820-df" | - | - |
Safe
|
| F5 Search vendor "F5" | Big-ip I15820-df Firmware Search vendor "F5" for product "Big-ip I15820-df Firmware" | - | - |
Affected
| in | F5 Search vendor "F5" | Big-ip I15820-df Search vendor "F5" for product "Big-ip I15820-df" | - | - |
Safe
|
| F5 Search vendor "F5" | Big-ip 5250v-f Firmware Search vendor "F5" for product "Big-ip 5250v-f Firmware" | - | - |
Affected
| in | F5 Search vendor "F5" | Big-ip 5250v-f Search vendor "F5" for product "Big-ip 5250v-f" | - | - |
Safe
|
| F5 Search vendor "F5" | Big-ip 7200v-f Firmware Search vendor "F5" for product "Big-ip 7200v-f Firmware" | - | - |
Affected
| in | F5 Search vendor "F5" | Big-ip 7200v-f Search vendor "F5" for product "Big-ip 7200v-f" | - | - |
Safe
|
| F5 Search vendor "F5" | Big-ip 10200v-f Firmware Search vendor "F5" for product "Big-ip 10200v-f Firmware" | - | - |
Affected
| in | F5 Search vendor "F5" | Big-ip 10200v-f Search vendor "F5" for product "Big-ip 10200v-f" | - | - |
Safe
|
| F5 Search vendor "F5" | Big-ip 6900-f Firmware Search vendor "F5" for product "Big-ip 6900-f Firmware" | - | - |
Affected
| in | F5 Search vendor "F5" | Big-ip 6900-f Search vendor "F5" for product "Big-ip 6900-f" | - | - |
Safe
|
| F5 Search vendor "F5" | Big-ip 8900-f Firmware Search vendor "F5" for product "Big-ip 8900-f Firmware" | - | - |
Affected
| in | F5 Search vendor "F5" | Big-ip 8900-f Search vendor "F5" for product "Big-ip 8900-f" | - | - |
Safe
|
| F5 Search vendor "F5" | Big-ip 11000-f Firmware Search vendor "F5" for product "Big-ip 11000-f Firmware" | - | - |
Affected
| in | F5 Search vendor "F5" | Big-ip 11000-f Search vendor "F5" for product "Big-ip 11000-f" | - | - |
Safe
|
| F5 Search vendor "F5" | Big-ip 11050-f Firmware Search vendor "F5" for product "Big-ip 11050-f Firmware" | - | - |
Affected
| in | F5 Search vendor "F5" | Big-ip 11050-f Search vendor "F5" for product "Big-ip 11050-f" | - | - |
Safe
|
| F5 Search vendor "F5" | Big-ip Access Policy Manager Search vendor "F5" for product "Big-ip Access Policy Manager" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Access Policy Manager" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Access Policy Manager Search vendor "F5" for product "Big-ip Access Policy Manager" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Access Policy Manager" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Access Policy Manager Search vendor "F5" for product "Big-ip Access Policy Manager" | 15.1.0 Search vendor "F5" for product "Big-ip Access Policy Manager" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Advanced Firewall Manager Search vendor "F5" for product "Big-ip Advanced Firewall Manager" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Advanced Firewall Manager" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Advanced Firewall Manager Search vendor "F5" for product "Big-ip Advanced Firewall Manager" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Advanced Firewall Manager" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Advanced Firewall Manager Search vendor "F5" for product "Big-ip Advanced Firewall Manager" | 15.1.0 Search vendor "F5" for product "Big-ip Advanced Firewall Manager" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Advanced Web Application Firewall Search vendor "F5" for product "Big-ip Advanced Web Application Firewall" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Advanced Web Application Firewall" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Advanced Web Application Firewall Search vendor "F5" for product "Big-ip Advanced Web Application Firewall" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Advanced Web Application Firewall" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Advanced Web Application Firewall Search vendor "F5" for product "Big-ip Advanced Web Application Firewall" | 15.1.0 Search vendor "F5" for product "Big-ip Advanced Web Application Firewall" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Analytics Search vendor "F5" for product "Big-ip Analytics" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Analytics" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Analytics Search vendor "F5" for product "Big-ip Analytics" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Analytics" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Analytics Search vendor "F5" for product "Big-ip Analytics" | 15.1.0 Search vendor "F5" for product "Big-ip Analytics" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Application Acceleration Manager Search vendor "F5" for product "Big-ip Application Acceleration Manager" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Application Acceleration Manager" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Application Acceleration Manager Search vendor "F5" for product "Big-ip Application Acceleration Manager" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Application Acceleration Manager" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Application Acceleration Manager Search vendor "F5" for product "Big-ip Application Acceleration Manager" | 15.1.0 Search vendor "F5" for product "Big-ip Application Acceleration Manager" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Application Security Manager Search vendor "F5" for product "Big-ip Application Security Manager" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Application Security Manager" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Application Security Manager Search vendor "F5" for product "Big-ip Application Security Manager" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Application Security Manager" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Application Security Manager Search vendor "F5" for product "Big-ip Application Security Manager" | 15.1.0 Search vendor "F5" for product "Big-ip Application Security Manager" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Application Visibility And Reporting Search vendor "F5" for product "Big-ip Application Visibility And Reporting" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Application Visibility And Reporting" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Application Visibility And Reporting Search vendor "F5" for product "Big-ip Application Visibility And Reporting" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Application Visibility And Reporting" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Application Visibility And Reporting Search vendor "F5" for product "Big-ip Application Visibility And Reporting" | 15.1.0 Search vendor "F5" for product "Big-ip Application Visibility And Reporting" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Carrier-grade Nat Search vendor "F5" for product "Big-ip Carrier-grade Nat" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Carrier-grade Nat" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Carrier-grade Nat Search vendor "F5" for product "Big-ip Carrier-grade Nat" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Carrier-grade Nat" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Carrier-grade Nat Search vendor "F5" for product "Big-ip Carrier-grade Nat" | 15.1.0 Search vendor "F5" for product "Big-ip Carrier-grade Nat" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Ddos Hybrid Defender Search vendor "F5" for product "Big-ip Ddos Hybrid Defender" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Ddos Hybrid Defender" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Ddos Hybrid Defender Search vendor "F5" for product "Big-ip Ddos Hybrid Defender" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Ddos Hybrid Defender" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Ddos Hybrid Defender Search vendor "F5" for product "Big-ip Ddos Hybrid Defender" | 15.1.0 Search vendor "F5" for product "Big-ip Ddos Hybrid Defender" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Domain Name System Search vendor "F5" for product "Big-ip Domain Name System" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Domain Name System" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Domain Name System Search vendor "F5" for product "Big-ip Domain Name System" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Domain Name System" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Domain Name System Search vendor "F5" for product "Big-ip Domain Name System" | 15.1.0 Search vendor "F5" for product "Big-ip Domain Name System" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Edge Gateway Search vendor "F5" for product "Big-ip Edge Gateway" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Edge Gateway" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Edge Gateway Search vendor "F5" for product "Big-ip Edge Gateway" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Edge Gateway" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Edge Gateway Search vendor "F5" for product "Big-ip Edge Gateway" | 15.1.0 Search vendor "F5" for product "Big-ip Edge Gateway" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Fraud Protection Service Search vendor "F5" for product "Big-ip Fraud Protection Service" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Fraud Protection Service" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Fraud Protection Service Search vendor "F5" for product "Big-ip Fraud Protection Service" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Fraud Protection Service" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Fraud Protection Service Search vendor "F5" for product "Big-ip Fraud Protection Service" | 15.1.0 Search vendor "F5" for product "Big-ip Fraud Protection Service" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Global Traffic Manager Search vendor "F5" for product "Big-ip Global Traffic Manager" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Global Traffic Manager" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Global Traffic Manager Search vendor "F5" for product "Big-ip Global Traffic Manager" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Global Traffic Manager" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Global Traffic Manager Search vendor "F5" for product "Big-ip Global Traffic Manager" | 15.1.0 Search vendor "F5" for product "Big-ip Global Traffic Manager" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Link Controller Search vendor "F5" for product "Big-ip Link Controller" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Link Controller" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Link Controller Search vendor "F5" for product "Big-ip Link Controller" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Link Controller" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Link Controller Search vendor "F5" for product "Big-ip Link Controller" | 15.1.0 Search vendor "F5" for product "Big-ip Link Controller" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Local Traffic Manager Search vendor "F5" for product "Big-ip Local Traffic Manager" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Local Traffic Manager" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Local Traffic Manager Search vendor "F5" for product "Big-ip Local Traffic Manager" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Local Traffic Manager" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Local Traffic Manager Search vendor "F5" for product "Big-ip Local Traffic Manager" | 15.1.0 Search vendor "F5" for product "Big-ip Local Traffic Manager" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Policy Enforcement Manager Search vendor "F5" for product "Big-ip Policy Enforcement Manager" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Policy Enforcement Manager" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Policy Enforcement Manager Search vendor "F5" for product "Big-ip Policy Enforcement Manager" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Policy Enforcement Manager" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Policy Enforcement Manager Search vendor "F5" for product "Big-ip Policy Enforcement Manager" | 15.1.0 Search vendor "F5" for product "Big-ip Policy Enforcement Manager" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Ssl Orchestrator Search vendor "F5" for product "Big-ip Ssl Orchestrator" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Ssl Orchestrator" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Ssl Orchestrator Search vendor "F5" for product "Big-ip Ssl Orchestrator" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Ssl Orchestrator" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Ssl Orchestrator Search vendor "F5" for product "Big-ip Ssl Orchestrator" | 15.1.0 Search vendor "F5" for product "Big-ip Ssl Orchestrator" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Webaccelerator Search vendor "F5" for product "Big-ip Webaccelerator" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Webaccelerator" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Webaccelerator Search vendor "F5" for product "Big-ip Webaccelerator" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Webaccelerator" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Webaccelerator Search vendor "F5" for product "Big-ip Webaccelerator" | 15.1.0 Search vendor "F5" for product "Big-ip Webaccelerator" and version "15.1.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Websafe Search vendor "F5" for product "Big-ip Websafe" | >= 13.1.0 < 13.1.4 Search vendor "F5" for product "Big-ip Websafe" and version " >= 13.1.0 < 13.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Websafe Search vendor "F5" for product "Big-ip Websafe" | >= 14.1.0 < 14.1.4 Search vendor "F5" for product "Big-ip Websafe" and version " >= 14.1.0 < 14.1.4" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Big-ip Websafe Search vendor "F5" for product "Big-ip Websafe" | 15.1.0 Search vendor "F5" for product "Big-ip Websafe" and version "15.1.0" | - |
Affected
| ||||||