F5F5:K05123525K05123525 : ConfigSync vulnerability CVE-2019-6649
Security Advisory Description
F5 BIG-IP and Enterprise Manager may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings. (CVE-2019-6649)
Impact
The vulnerability is only present when the system is configured for high availability (HA) and either of the following settings are used:
- ConfigSync is using a self IP with Port Lockdownconfigured as Allow All.
Note:Port Lockdowndefaults toAllow None.
- ConfigSync is configured to use the management interface. The database variable configsync.allowmanagement must be set toenableto allow this configuration (default isdisable). Check the configuration by typing the following command at the shell prompt:
tmsh list /sys db configsync.allowmanagement
Note: This is an uncommon configuration.
Systems that are not running with either configuration are not affected.
Note: BIG-IQ systems and iWorkflow systems are not affected.
In both of the previously described configurations, a malicious actor may be able to connect to the interface used for ConfigSync to extract and/or modify sensitive information on the system.
Additionally, when ConfigSync is configured to use the management interface, sensitive information may be transmitted unencrypted, risking information disclosure to and modification by anyone in the path of the traffic.
Related
