CVE-2019-6665
📋 TL;DR
This vulnerability allows an attacker who can access communication between BIG-IP ASM Central Policy Builder and management systems (BIG-IQ/Enterprise Manager/iWorkflow) to intercept and proxy traffic. This affects multiple F5 BIG-IP, BIG-IQ, iWorkflow, and Enterprise Manager versions. Attackers could potentially view or manipulate sensitive configuration data.
💻 Affected Systems
- BIG-IP ASM
- BIG-IQ
- iWorkflow
- Enterprise Manager
📦 What is this software?
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete interception of all management traffic between systems, allowing attackers to steal credentials, modify configurations, inject malicious policies, or disrupt security operations.
Likely Case
Interception of specific management sessions leading to configuration data theft, policy manipulation, or unauthorized access to security management systems.
If Mitigated
Limited impact if communication channels are already secured with additional encryption or network segmentation prevents attacker access.
🎯 Exploit Status
Exploitation requires network access to intercept traffic between specific F5 components. No public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Upgrade to BIG-IP ASM 15.1.0, 14.1.2.3, 14.0.1.2, 13.1.3.2 or later; BIG-IQ 6.1.0, 5.5.0 or later; iWorkflow 2.3.1 or later; Enterprise Manager 3.1.2 or later
Vendor Advisory: https://support.f5.com/csp/article/K26462555
Restart Required: Yes
Instructions:
1. Download appropriate fixed version from F5 Downloads. 2. Backup current configuration. 3. Apply upgrade following F5 upgrade procedures. 4. Restart affected services. 5. Verify communication between components is secure.
🔧 Temporary Workarounds
Network Segmentation
allIsolate communication between BIG-IP ASM Central Policy Builder and management systems to prevent unauthorized access
Encryption Enhancement
allImplement additional encryption layers (IPsec/VPN) for management traffic between affected components
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access communication channels between affected components
- Monitor network traffic between BIG-IP ASM Central Policy Builder and management systems for unusual patterns
🔍 How to Verify
Check if Vulnerable:
Check version numbers: BIG-IP ASM (tmsh show sys version), BIG-IQ (cat /etc/issue), iWorkflow (f5-rest-node /shared/iworkflow/version), Enterprise Manager (cat /etc/issue)Check Version:
BIG-IP: tmsh show sys version | grep Version; BIG-IQ: cat /etc/issue | grep BIG-IQ; iWorkflow: f5-rest-node /shared/iworkflow/version; Enterprise Manager: cat /etc/issue | grep EnterpriseVerify Fix Applied:
Verify version is patched: BIG-IP ASM 15.1.0+, 14.1.2.3+, 14.0.1.2+, 13.1.3.2+; BIG-IQ 6.1.0+, 5.5.0+; iWorkflow 2.3.1+; Enterprise Manager 3.1.2+📡 Detection & Monitoring
Log Indicators:
- Unusual connection attempts between management components
- Failed authentication attempts on management interfaces
- Configuration changes from unexpected sources
Network Indicators:
- Unusual traffic patterns between BIG-IP ASM Central Policy Builder and management systems
- Unexpected proxy configurations
- Man-in-the-middle attack signatures
SIEM Query:
source="f5-*" AND (event_type="authentication_failure" OR event_type="configuration_change") AND dest_ip IN (management_system_ips)