CVE-2017-0305 – CVE-2017-0305 is a critical vulnerability in F5... (How to Fix)

Q: What is the severity of CVE-2017-0305?

CVE-2017-0305 has a CVSS score of 9.8 (CRITICAL). CVE-2017-0305 is a critical vulnerability in F5 SSL Intercept iApp that allows unauthenticated remote attackers to modify BIG-IP system configurations, extract sensitive files, and potentially execute commands. This affects organizations using F5 SSL Intercept iApp version 1.5.0-1.5.7 with Explicit Proxy feature and SNAT Auto Map enabled for egress traffic.

📋 TL;DR

CVE-2017-0305 is a critical vulnerability in F5 SSL Intercept iApp that allows unauthenticated remote attackers to modify BIG-IP system configurations, extract sensitive files, and potentially execute commands. This affects organizations using F5 SSL Intercept iApp version 1.5.0-1.5.7 with Explicit Proxy feature and SNAT Auto Map enabled for egress traffic.

💻 Affected Systems

Products:

F5 SSL Intercept iApp

Versions: 1.5.0 - 1.5.7

Operating Systems: F5 BIG-IP

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when deployed with Explicit Proxy feature plus SNAT Auto Map option for egress traffic

📦 What is this software?

Ssl Intercept Iapp by F5

View all CVEs affecting Ssl Intercept Iapp →

Ssl Intercept Iapp by F5

View all CVEs affecting Ssl Intercept Iapp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote command execution, configuration modification, and sensitive data exfiltration leading to full network control.

🟠

Likely Case

Unauthorized configuration changes and extraction of sensitive system files, potentially leading to credential theft and lateral movement.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires specific configuration but is straightforward once identified

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.8 or later

Vendor Advisory: https://support.f5.com/csp/article/K53244431

Restart Required: Yes

Instructions:

1. Upgrade to SSL Intercept iApp version 1.5.8 or later. 2. Apply the update through the F5 Configuration Utility. 3. Restart affected services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable SNAT Auto Map

all

Remove SNAT Auto Map configuration from Explicit Proxy deployments

tmsh modify ltm virtual <virtual_server_name> snat-type none

Network Segmentation

all

Restrict access to SSL Intercept iApp management interfaces

🧯 If You Can't Patch

Disable Explicit Proxy feature or remove SNAT Auto Map configuration
Implement strict network access controls to limit exposure to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check iApp version and configuration: 1. Navigate to iApps > Application Services > SSL Intercept. 2. Verify version is between 1.5.0-1.5.7. 3. Check if Explicit Proxy with SNAT Auto Map is configured.

Check Version:

tmsh list sys application service <app_name> | grep version

Verify Fix Applied:

Verify iApp version is 1.5.8 or later and SNAT Auto Map is disabled or removed from Explicit Proxy configuration.

📡 Detection & Monitoring

Log Indicators:

Unauthorized configuration changes in /var/log/ltm
Unexpected file access patterns
Unusual SNAT or proxy traffic patterns

Network Indicators:

Unexpected connections to SSL Intercept management interfaces
Anomalous traffic to/from proxy services

SIEM Query:

source="F5_BIGIP" AND (event_type="configuration_change" OR event_type="file_access") AND user="unknown"

📊 Metadata

CVE ID: CVE-2017-0305

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: April 6, 2017

Last Updated: April 20, 2025

🔗 References

https://support.f5.com/csp/article/K53244431 Vendor Advisory
https://support.f5.com/csp/article/K53244431 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON