CVE-2023-3470Use of Weak Credentials in F5 Big-ip Access Policy Manager

CWE-1391Use of Weak CredentialsCWE-287Improper AuthenticationCWE-521Weak Password Requirements4 documents4 sources
Severity
6.1MEDIUMNVD
CNA6.0
EPSS
0.1%
top 78.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
20
F5 Big-ipF5 Big-ip Access Policy ManagerF5 Big-ip Advanced Firewall Manager+17 more
Timeline
PublishedAug 2

Description

Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. The predictable nature of the password allows an authenticated user with TMSH access to the BIG-IP system, or anyone with physical access to the FIPS HSM, the information required to generate the correct password. On vCMP systems, all Guests share the same deterministic password, allowing those with TMSH access on one Guest to access keys of a different Guest. The follow

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 0.9 | Impact: 5.2

Affected Packages20 packages

NVDf5/big-ip_access_policy_manager13.1.013.1.4+2
NVDf5/big-ip_domain_name_system13.1.013.1.4+2
CVEListV5f5/big-ip15.1.015.1.1+2
NVDf5/big-ip_websafe13.1.013.1.4+2
NVDf5/big-ip_analytics13.1.013.1.4+2

🔴Vulnerability Details

2
CVEList
BIG-IP FIPS HSM password vulnerability CVE-2023-34702023-08-02
GHSA
GHSA-jfqg-q3jr-w9mv: Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account2023-08-02

📋Vendor Advisories

1
F5
CVE-2023-3470: Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User ...2023-08-02
CVE-2023-3470 — Use of Weak Credentials in F5 | cvebase