CVE-2019-6592 - Improper Certificate Validation

Severity

64%

Complexity

99%

Confidentiality

81%

On BIG-IP 14.1.0-14.1.0.1, TMM may restart and produce a core file when validating SSL certificates in client SSL or server SSL profiles.

On BIG-IP 14.1.0-14.1.0.1, TMM may restart and produce a core file when validating SSL certificates in client SSL or server SSL profiles.

CVSS 3.0 Base Score 9.1. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

CVSS 2.0 Base Score 6.4. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P).

Demo Examples

Improper Certificate Validation

CWE-295

This code checks the certificate of a connected peer.


               

                  
foo=SSL_get_verify_result(ssl);

                     

                           // certificate looks good, host can be trusted

In this case, because the certificate is self-signed, there was no external authority that could prove the identity of the host. The program could be communicating with a different system that is spoofing the host, e.g. by poisoning the DNS cache or using a MITM attack to modify the traffic from server to client.

Improper Certificate Validation

CWE-295

The following OpenSSL code obtains a certificate and verifies it.


               
}

                     

                           // do secret things

Even though the "verify" step returns X509_V_OK, this step does not include checking the Common Name against the name of the host. That is, there is no guarantee that the certificate is for the desired host. The SSL connection could have been established with a malicious host that provided a valid certificate.

Improper Certificate Validation

CWE-295

The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.


               

                  

                     

                        

                           

                                 //do stuff

If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate.

Improper Certificate Validation

CWE-295

The following OpenSSL code ensures that there is a certificate before continuing execution.


               

                  

                     

                           // got a certificate, do secret things

Because this code does not use SSL_get_verify_results() to check the certificate, it could accept certificates that have been revoked (X509_V_ERR_CERT_REVOKED). The software could be communicating with a malicious host.

Improper Certificate Validation

CWE-295

The following OpenSSL code ensures that the host has a certificate.


               
}

                     

                           // got certificate, host can be trusted//foo=SSL_get_verify_result(ssl);//if (X509_V_OK==foo) ...

Note that the code does not call SSL_get_verify_result(ssl), which effectively disables the validation step that checks the certificate.

Overview

Type

F5

First reported 5 years ago

2019-02-26 15:29:00

Last updated 5 years ago

2019-02-28 15:32:00

Affected Software

F5 Big-IP Access Policy Manager (APM)

F5 Networks Big-IP Local Traffic Manager (LTM)

F5 Big-IP Advanced Firewall Manager (AFM)

F5 Big-IP Analytics

F5 Big-IP Application Security Manager (ASM)

F5 Big-IP Domain Name System (DNS)

F5 Big-IP Edge Gateway

F5 Big-IP Fraud Protection Service (FPS)

F5 Big-IP Global Traffic Manager (GTM)

F5 Big-IP Link Controller

F5 Big-IP Policy Enforcement Manager (PEM)

F5 Big-IP WebAccelerator

References

107176

Third Party Advisory, VDB Entry

https://support.f5.com/csp/article/K54167061

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.