CVE-2017-6144

Name of the Vulnerable Software and Affected Versions F5 BIG-IP PEM versions 12.1.0 through 12.1.2

Description The issue concerns a lack of server certificate verification when downloading the Type Allocation Code (TAC) database file via HTTPS. This could allow attackers in a privileged network position to launch a man-in-the-middle attack. The TAC databases are utilized for Device Type and OS (DTOS) and Tethering detection.

Recommendations For F5 BIG-IP PEM versions 12.1.0 through 12.1.2, consider disabling the TAC database file download feature via HTTPS until a patch is available, or ensure that an alternative secure method is used for downloading these files to minimize the risk of exploitation.