PT-2015-6646 · F5 · F5 Big-Iq Cloud+3

Publicado

2015-07-16

Atualizado

2015-07-21

CVE-2015-4637

CVSS v2.0

4.3

Média

Vetor

AV:N/AC:M/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions F5 BIG-IQ Cloud, Device, and Security versions 4.4.0 through 4.5.0 before HF2 F5 BIG-IQ ADC versions 4.5.0 before HF2

Description The issue concerns the REST API when configured for LDAP remote authentication. If the LDAP server allows anonymous BIND operations, remote attackers can obtain an authentication token for arbitrary users by guessing an LDAP user account name.

Recommendations For F5 BIG-IQ Cloud, Device, and Security versions 4.4.0 through 4.5.0 before HF2, apply HF2 to resolve the issue. For F5 BIG-IQ ADC versions 4.5.0 before HF2, apply HF2 to resolve the issue. As a temporary workaround, consider restricting anonymous BIND operations on the LDAP server until the issue is resolved.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-17CWE-310

Identificadores relacionados

CVE-2015-4637

Produtos afetados

F5 Big-Iq Adc

F5 Big-Iq Cloud

F5 Big-Iq Device

F5 Big-Iq Security

PT-2015-6646 · F5 · F5 Big-Iq Cloud+3

CVE-2015-4637

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 2