CVE-2019-6609
📋 TL;DR
This vulnerability affects F5 BIG-IP devices running on iSeries platforms where the secure vault unit key is stored in plaintext on disk instead of using hardware-protected storage. This allows attackers with filesystem access to extract encryption keys and potentially decrypt sensitive configuration data. Only iSeries platforms running specific BIG-IP versions are affected.
💻 Affected Systems
- F5 BIG-IP LTM
- F5 BIG-IP AAM
- F5 BIG-IP AFM
- F5 BIG-IP Analytics
- F5 BIG-IP APM
- F5 BIG-IP ASM
- F5 BIG-IP DNS
- F5 BIG-IP Edge Gateway
- F5 BIG-IP FPS
- F5 BIG-IP GTM
- F5 BIG-IP Link Controller
- F5 BIG-IP PEM
- F5 BIG-IP WebAccelerator
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full access to encrypted configuration data including passwords, certificates, and sensitive network configurations, potentially leading to complete system compromise and lateral movement.
Likely Case
Privileged attackers with filesystem access can extract the unit key from UCS backup files or disk storage, enabling decryption of sensitive configuration elements.
If Mitigated
With proper access controls and monitoring, the impact is limited to authorized administrators who already have filesystem access.
🎯 Exploit Status
Exploitation requires filesystem access to locate and extract the unit key from disk or UCS backup files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.1.0.2, 13.1.1.4, 12.1.4.1
Vendor Advisory: https://support.f5.com/csp/article/K18535734
Restart Required: Yes
Instructions:
1. Download the appropriate fixed version from F5 Downloads. 2. Backup current configuration. 3. Install the update following F5's upgrade procedures. 4. Restart the system. 5. Verify the secureKeyCapable attribute is properly set.
🔧 Temporary Workarounds
Restrict access to UCS backup files
allLimit access to UCS backup files and ensure they are stored securely with proper access controls.
Implement strict filesystem access controls
allRestrict filesystem access to authorized administrators only and implement monitoring for unauthorized access attempts.
🧯 If You Can't Patch
- Migrate to non-iSeries platforms if possible
- Implement enhanced monitoring for unauthorized filesystem access and UCS file access
🔍 How to Verify
Check if Vulnerable:
Check if running on iSeries platform and verify BIG-IP version falls within affected ranges. Check if secureKeyCapable attribute is not properly set.Check Version:
tmsh show sys versionVerify Fix Applied:
After patching, verify the secureKeyCapable attribute is properly set and unit key is no longer stored in plaintext in UCS files.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to filesystem
- Access to UCS backup files by unauthorized users
- Failed authentication attempts to administrative interfaces
Network Indicators:
- Unusual file transfer activity from BIG-IP systems
- Unauthorized access to backup storage locations
SIEM Query:
source="bigip" AND (event_type="filesystem_access" OR file_path="*.ucs") AND user NOT IN [authorized_admin_list]