CVE-2019-6649

Q: What is the severity of CVE-2019-6649?

CVE-2019-6649 has a CVSS score of 9.1 (CRITICAL). This vulnerability in F5 BIG-IP and Enterprise Manager exposes sensitive information and allows system configuration modification when using non-default ConfigSync settings. Attackers can potentially access credentials and modify device configurations. Affected users are those running vulnerable versions with non-default ConfigSync configurations.

9.1 CRITICAL

Authentication Bypass

📋 TL;DR

This vulnerability in F5 BIG-IP and Enterprise Manager exposes sensitive information and allows system configuration modification when using non-default ConfigSync settings. Attackers can potentially access credentials and modify device configurations. Affected users are those running vulnerable versions with non-default ConfigSync configurations.

💻 Affected Systems

Products:

F5 BIG-IP
F5 Enterprise Manager

Versions: BIG-IP: 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, 11.5.1-11.5.9; Enterprise Manager: 3.1.1

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using non-default ConfigSync settings. Default configurations are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to steal credentials, modify configurations, intercept traffic, and potentially pivot to other network segments.

🟠

Likely Case

Unauthorized access to sensitive configuration data and credentials, leading to potential privilege escalation and network reconnaissance.

🟢

If Mitigated

Limited exposure if using default ConfigSync settings or proper network segmentation, though risk remains for misconfigured systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires knowledge of non-default ConfigSync configurations and network access to affected systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BIG-IP: 15.0.1, 14.1.0.7, 14.0.0.6, 13.1.2, 12.1.5, 11.6.5, 11.5.10; Enterprise Manager: 3.1.2

Vendor Advisory: https://support.f5.com/csp/article/K05123525

Restart Required: Yes

Instructions:

1. Download appropriate patch from F5 Downloads. 2. Backup current configuration. 3. Apply patch following F5 upgrade procedures. 4. Restart affected services. 5. Verify patch installation and functionality.

🔧 Temporary Workarounds

Revert to Default ConfigSync

all

Change ConfigSync settings back to default configuration to eliminate vulnerability

tmsh modify /cm device-group <device-group-name> configsync-ip none

Restrict Network Access

all

Limit network access to ConfigSync ports (4353/tcp) to trusted management networks only

tmsh create /net route <route-name> network <trusted-network> gateway <gateway-ip>

🧯 If You Can't Patch

Implement strict network segmentation to isolate BIG-IP management interfaces
Monitor ConfigSync traffic and configuration changes for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP version with 'tmsh show sys version' and verify if using non-default ConfigSync settings with 'tmsh list /cm device-group'

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify version is patched with 'tmsh show sys version' and check ConfigSync settings are either default or properly secured

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to ConfigSync services
Unexpected configuration changes in BIG-IP logs
Authentication failures on management interfaces

Network Indicators:

Unusual traffic on port 4353/tcp from untrusted sources
ConfigSync traffic to/from unexpected IP addresses

SIEM Query:

source="bigip_logs" AND (port=4353 OR "ConfigSync") AND (src_ip NOT IN trusted_networks)

📊 Metadata

CVE ID: CVE-2019-6649

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Published: September 20, 2019

Last Updated: November 21, 2024

🔗 References

https://support.f5.com/csp/article/K05123525 Vendor Advisory
https://support.f5.com/csp/article/K05123525 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Enterprise Manager by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5