7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
0.233 Low
EPSS
Percentile
96.1%
Added: 07/03/2012
CVE: CVE-2012-1493
BID: 53897
OSVDB: 82780
SSH Private keys are used for authentication for many F5 BIG-IP devices. Devices shipped with a default, static key are vulnerable to compromise if the public discovers the key. The private key can be re-used by an attacker to gain remote, privileged access to the device.
Vulnerable BIG-IP installations allow unauthenticated users to bypass authentication and login as the ‘root’ user on the following devices:
The vendor has indicated these versions are patched:
Note: Systems that are licensed to run in Appliance mode on BIG-IP version 10.2.1-HF3 or later are not susceptible to this vulnerability. For more information about Appliance mode, refer to SOL12815: Overview of Appliance mode.
<http://support.f5.com/kb/en-us/solutions/public/12000/800/sol12815.html>
The target must be running the ssh service in order for the exploit to succeed.
The OpenSSH client must be installed on the SAINTexploit host.
Linux
Unix