K61757346 : BIG-IP Azure cloud vulnerability CVE-2017-6131

Security Advisory Description

In some circumstances, a BIG-IP Azure cloud instance may contain a default administrative password which can be used to remotely log in to the BIG-IP system.

The affected administrative account is the Azure instance administrative user created at deployment. The root and admin accounts are not vulnerable.

This issue only affects BIG-IP Virtual Edition (VE) Azure instances and Azure Web Application Firewall solutions on the Azure Marketplace. This issue does not affect BIG-IP VE instances on any other cloud services. All BIG-IP VE Azure instances licensed for any product are affected by this vulnerability, except:

• Instances deployed using solution templates.
• Instances deployed using a password rather than public key for the user-defined account during provisioning.

Note: For more information about deploying instances using solution templates, refer to the DevCentral Deploy BIG-IP VE in Microsoft Azure Using an ARM Template article.

Impact

An attacker may be able to remotely access the BIG-IP system using secure shell (SSH).

The CVSS 3.0 metrics for CVE-2017-6131

CVSS V3 score 9.8 / (base) 8.7 (temporal) / 8.7 (environmental)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:W/RC:C

Note: This link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.