F5 BIG-IP and Enterprise Manager may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings. (CVE-2019-6649)
Impact
The vulnerability is only present when the system is configured for high availability (HA) and either of the following settings are used:
Note:Port Lockdowndefaults toAllow None.
tmsh list /sys db configsync.allowmanagement
Note: This is an uncommon configuration.
Systems that are not running with either configuration are not affected.
Note: BIG-IQ systems and iWorkflow systems are not affected.
In both of the previously described configurations, a malicious actor may be able to connect to the interface used for ConfigSync to extract and/or modify sensitive information on the system.
Additionally, when ConfigSync is configured to use the management interface, sensitive information may be transmitted unencrypted, risking information disclosure to and modification by anyone in the path of the traffic.