CVE-2016-5736

Name of the Vulnerable Software and Affected Versions F5 BIG-IP LTM, Analytics, APM, ASM, and Link Controller versions 11.2.1 through 11.2.1 before HF16, 11.4.x, 11.5.x through 11.5.3, 11.6.x through 11.6.0, and 12.x through 12.0.0 before HF2 F5 BIG-IP AAM, AFM, and PEM versions 11.4.x, 11.5.x through 11.5.3, 11.6.x through 11.6.0, and 12.x through 12.0.0 before HF2 F5 BIG-IP DNS versions 12.x through 12.0.0 before HF2 F5 BIG-IP Edge Gateway, WebAccelerator, and WOM version 11.2.1 before HF16 F5 BIG-IP GTM versions 11.2.1 through 11.2.1 before HF16, 11.4.x, 11.5.x through 11.5.3, and 11.6.x through 11.6.0 F5 BIG-IP PSM versions 11.4.0 through 11.4.1

Description The default configuration of the IPsec IKE peer listener in the affected F5 BIG-IP products improperly enables the anonymous IPsec IKE peer configuration object. This allows remote attackers to establish an IKE Phase 1 negotiation and possibly conduct brute-force attacks against Phase 2 negotiations.

Recommendations For F5 BIG-IP LTM, Analytics, APM, ASM, and Link Controller versions 11.2.1 through 11.2.1 before HF16, 11.4.x, 11.5.x through 11.5.3, 11.6.x through 11.6.0, and 12.x through 12.0.0 before HF2, update to a version that includes the HF16 or HF2 hotfix. For F5 BIG-IP AAM, AFM, and PEM versions 11.4.x, 11.5.x through 11.5.3, 11.6.x through 11.6.0, and 12.x through 12.0.0 before HF2, update to a version that includes the HF2 hotfix. For F5 BIG-IP DNS versions 12.x through 12.0.0 before HF2, update to a version that includes the HF2 hotfix. For F5 BIG-IP Edge Gateway, WebAccelerator, and WOM version 11.2.1 before HF16, update to a version that includes the HF16 hotfix. For F5 BIG-IP GTM versions 11.2.1 through 11.2.1 before HF16, 11.4.x, 11.5.x through 11.5.3, and 11.6.x through 11.6.0, update to a version that includes the HF16 or HF2 hotfix. For F5 BIG-IP PSM versions 11.4.0 through 11.4.1, update to a version that is not vulnerable.