K000135449 : BIG-IP FIPS HSM password vulnerability CVE-2023-3470

Security Advisory Description

Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. The predictable nature of the password allows an authenticated attacker with TMOS Shell (tmsh) access to the BIG-IP system, or anyone with physical access to the FIPS HSM, the information required to generate the correct password. On vCMP systems, all Guests share the same deterministic password, allowing those with**tmsh **access on one Guest to access FIPS HSM partitions belonging to other Guests.

The following BIG-IP hardware platforms are affected: 10350v-F, i5820-DF, i7820-DF, i15820-DF, 5250v-F, 7200v-F, 10200v-F, 6900-F, 8900-F, 11000-F, and 11050-F.

The BIG-IP rSeries r5920-DF and r10920-DF are not affected, nor does the issue affect software FIPS implementations or network HSM configurations. (CVE-2023-3470)

Impact

The Crypto User password provides full access to the FIPS HSM API, including all key management and cryptographic functions. This results in potential impact on confidentiality and integrity; there is no availability impact, as an administrator can disable or reinitialize the FIPS HSM.