CVE-2017-6144

{"id": "CVE-2017-6144", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}]}, "published": "2017-10-20T15:29:00.427", "references": [{"url": "https://support.f5.com/csp/article/K81601350", "tags": ["Mitigation", "Vendor Advisory"], "source": "f5sirt@f5.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "In F5 BIG-IP PEM 12.1.0 through 12.1.2 when downloading the Type Allocation Code (TAC) database file via HTTPS, the server's certificate is not verified. Attackers in a privileged network position may be able to launch a man-in-the-middle attack against these connections. TAC databases are used in BIG-IP PEM for Device Type and OS (DTOS) and Tethering detection. Customers not using BIG-IP PEM, not configuring downloads of TAC database files, or not using HTTP for that download are not affected."}, {"lang": "es", "value": "En F5 BIG-IP PEM 12.1.0 hasta la versi\u00f3n 12.1.2, al descargar el archivo de base de datos Type Allocation Code (TAC) mediante HTTPS, el certificado del servidor no se verifica. Atacantes en una posici\u00f3n privilegiada de la red podr\u00edan ser capaces de lanzar un ataque Man-in-the-Middle (MitM) contra estas conexiones. Las bases de datos TAC se emplean en BIG-IP PEM para la detecci\u00f3n de tipo de dispositivo y sistema operativo (DTOS) y Tethering. Los clientes que no emplean BIG-IP PEM, no configuran descargas de archivos de base de datos TAC o que no empleen HTTP para esa descarga no est\u00e1n afectados."}], "lastModified": "2017-11-15T16:22:34.640", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:12.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "64273A2C-E5A1-4605-92DD-EBECC7F051D5"}, {"criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:12.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E60CA151-1C3A-45B3-B939-E6F80063C595"}, {"criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:12.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58BAD5A9-9C67-4056-9344-07C8C42C8E88"}], "operator": "OR"}]}], "sourceIdentifier": "f5sirt@f5.com"}