PT-2015-6646 · F5 · F5 Big-Iq Cloud+3

Published

2015-07-16

Updated

2015-07-21

CVE-2015-4637

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions F5 BIG-IQ Cloud, Device, and Security versions 4.4.0 through 4.5.0 before HF2 F5 BIG-IQ ADC versions 4.5.0 before HF2

Description The issue concerns the REST API when configured for LDAP remote authentication. If the LDAP server allows anonymous BIND operations, remote attackers can obtain an authentication token for arbitrary users by guessing an LDAP user account name.

Recommendations For F5 BIG-IQ Cloud, Device, and Security versions 4.4.0 through 4.5.0 before HF2, apply HF2 to resolve the issue. For F5 BIG-IQ ADC versions 4.5.0 before HF2, apply HF2 to resolve the issue. As a temporary workaround, consider restricting anonymous BIND operations on the LDAP server until the issue is resolved.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-17CWE-310

Related Identifiers

CVE-2015-4637

Affected Products

F5 Big-Iq Adc

F5 Big-Iq Cloud

F5 Big-Iq Device

F5 Big-Iq Security

PT-2015-6646 · F5 · F5 Big-Iq Cloud+3

CVE-2015-4637

Weakness Enumeration

Related Identifiers

Affected Products

References · 2