CVE-2017-6144 in BIG-IP PEM
Summary
by MITRE
In F5 BIG-IP PEM 12.1.0 through 12.1.2 when downloading the Type Allocation Code (TAC) database file via HTTPS, the server's certificate is not verified. Attackers in a privileged network position may be able to launch a man-in-the-middle attack against these connections. TAC databases are used in BIG-IP PEM for Device Type and OS (DTOS) and Tethering detection. Customers not using BIG-IP PEM, not configuring downloads of TAC database files, or not using HTTP for that download are not affected.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/04/2023
The vulnerability described in CVE-2017-6144 represents a critical security flaw in F5 BIG-IP PEM (Policy Enforcement Manager) versions 12.1.0 through 12.1.2 that specifically impacts the secure download of Type Allocation Code (TAC) database files over HTTPS connections. This issue falls under the category of certificate verification failure, which is classified as CWE-295 in the Common Weakness Enumeration system, directly relating to improper certificate validation mechanisms. The vulnerability exists within the network security infrastructure of enterprise environments that rely on F5's BIG-IP platform for policy enforcement and device identification services.
The technical flaw manifests when the BIG-IP PEM system attempts to download TAC database files via HTTPS protocol without performing proper server certificate verification. This omission creates a significant attack surface that allows malicious actors positioned within the same privileged network segment to execute successful man-in-the-middle attacks against the download process. The absence of certificate validation means that attackers can present fake certificates to the system and successfully establish fraudulent connections while the system remains unaware of the compromised authentication. This vulnerability specifically affects the Device Type and Operating System (DTOS) detection and tethering detection capabilities within the BIG-IP PEM framework, which rely on the integrity of the TAC database files for accurate device classification and network monitoring.
The operational impact of this vulnerability extends beyond simple authentication failures to potentially compromise the entire network security monitoring and enforcement infrastructure. When attackers successfully intercept and manipulate TAC database downloads, they can corrupt or replace legitimate device identification data, leading to false positives or negatives in device detection and classification. This manipulation directly affects the effectiveness of security policies that depend on accurate device type and operating system information, potentially allowing malicious devices to evade detection or legitimate devices to be incorrectly flagged as threats. The vulnerability also undermines the integrity of network monitoring capabilities that rely on these TAC databases for comprehensive device identification and threat analysis.
Organizations affected by CVE-2017-6144 should implement immediate mitigations including upgrading to F5 BIG-IP PEM versions that address the certificate verification issue, typically versions 12.1.3 or later. The mitigation strategy should also include network segmentation to isolate critical security infrastructure, implementing additional monitoring for unusual download patterns, and ensuring that all network traffic involving sensitive security data is properly encrypted and authenticated. From an ATT&CK framework perspective, this vulnerability maps to techniques involving credential access and defense evasion, as attackers can use the compromised TAC databases to manipulate device identification systems and potentially hide malicious activities within the network. The vulnerability also represents a significant risk for organizations following the MITRE ATT&CK methodology for cybersecurity, as it creates opportunities for attackers to establish persistent network presence through manipulation of core security infrastructure components.