CVE-2017-6145 in BIG-IP
Summary
by MITRE
iControl REST in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe 12.0.0 through 12.1.2 and 13.0.0 includes a service to convert authorization BIGIPAuthCookie cookies to X-F5-Auth-Token tokens. This service does not properly re-validate cookies when making that conversion, allowing once-valid but now expired cookies to be converted to valid tokens.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/04/2023
The vulnerability identified as CVE-2017-6145 affects F5 BIG-IP systems across multiple modules including Local Traffic Manager AAM AFM Analytics APM ASM DNS Link Controller PEM and WebSafe versions 12.0.0 through 12.1.2 and 13.0.0.0 This issue resides within the iControl REST service which handles authentication token conversion processes. The flaw represents a critical authentication bypass vulnerability that allows attackers to exploit expired session cookies and convert them into valid authorization tokens. This weakness stems from improper cookie validation during the conversion process where the system fails to verify that the original BIGIPAuthCookie remains valid before generating the X-F5-Auth-Token. The vulnerability falls under CWE-287 which addresses improper authentication issues and aligns with ATT&CK technique T1078 for valid accounts and T1566 for credential harvesting. The service specifically targets the conversion mechanism between legacy authentication cookies and modern token-based authentication systems within the F5 BIG-IP platform.
The technical implementation of this vulnerability exploits a fundamental flaw in the authentication token conversion service by bypassing the required session validation checks. When an attacker presents an expired BIGIPAuthCookie to the conversion endpoint the system accepts the cookie without performing proper re-authentication validation. This allows the system to generate a new X-F5-Auth-Token that grants the same access privileges as the original session would have had. The flaw exists because the conversion process relies on trusting the cookie value without verifying that the underlying session has not expired or been revoked. This creates a persistent security weakness where compromised or expired credentials can be reused indefinitely. The vulnerability is particularly dangerous because it operates at the authentication layer and can be exploited without requiring additional credentials or complex attack vectors. The conversion service essentially acts as a backdoor that allows stale authentication tokens to be refreshed without proper validation, creating a window of opportunity for unauthorized access.
The operational impact of CVE-2017-6145 extends beyond simple unauthorized access to encompass potential full system compromise and data exfiltration. Organizations using affected F5 BIG-IP versions face significant risk as attackers can maintain persistent access to critical network infrastructure without detection. The vulnerability enables attackers to perform administrative actions including configuration changes, traffic redirection, and access to sensitive system information. This risk is compounded by the fact that the attack can be executed remotely without requiring physical access or prior authentication credentials. Network defenders may struggle to detect this attack because the converted tokens appear legitimate to the system. The vulnerability impacts all F5 BIG-IP modules that rely on the iControl REST service, creating a broad attack surface across multiple security domains including application delivery, firewall management, and analytics. This weakness directly violates security principles of least privilege and proper session management, potentially allowing attackers to escalate privileges and move laterally within the network infrastructure.
Mitigation strategies for CVE-2017-6145 require immediate patching of affected F5 BIG-IP versions to the latest security releases. Organizations should implement network segmentation to limit access to F5 BIG-IP management interfaces and restrict administrative access to trusted networks only. The implementation of multi-factor authentication should be enforced for all administrative accounts and the use of strong session management policies should be implemented. Network monitoring should be enhanced to detect unusual token conversion patterns and unauthorized access attempts to the iControl REST service. Security teams should conduct thorough audits of all F5 BIG-IP configurations to identify and disable unnecessary services or modules that may expose the vulnerable conversion endpoint. Regular security assessments should include testing for similar authentication bypass vulnerabilities and implementation of proper session validation controls. The vulnerability also highlights the importance of following security best practices such as implementing proper token lifecycle management and ensuring that all authentication services perform robust validation checks before granting access privileges. Organizations should consider implementing additional logging and alerting mechanisms specifically designed to detect credential reuse and token conversion activities. This vulnerability demonstrates the critical importance of maintaining up-to-date security patches and the potential consequences of failing to address authentication-related flaws in core infrastructure components.