CVE-2017-6165 in BIG-IP
Summary
by MITRE
In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM, and WebSafe 11.5.1 HF6 through 11.5.4 HF4, 11.6.0 through 11.6.1 HF1, and 12.0.0 through 12.1.2 on VIPRION platforms only, the script which synchronizes SafeNet External Network HSM configuration elements between blades in a clustered deployment will log the HSM partition password in cleartext to the "/var/log/ltm" log file.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/19/2021
The vulnerability described in CVE-2017-6165 represents a critical security flaw within F5 BIG-IP systems that affects multiple modules including Local Traffic Manager AAM AFM Analytics APM ASM DNS GTM Link Controller PEM and WebSafe. This issue specifically impacts versions ranging from 11.5.1 HF6 through 11.5.4 HF4 11.6.0 through 11.6.1 HF1 and 12.0.0 through 12.1.2 when deployed on VIPRION platforms. The vulnerability stems from improper handling of sensitive information during the synchronization process between clustered blades in high availability configurations.
The technical flaw manifests in the form of cleartext logging of the SafeNet External Network HSM partition password within the system's log files. This occurs during the automated script execution that manages synchronization of HSM configuration elements across multiple blades in a clustered environment. The script fails to properly sanitize or encrypt sensitive authentication credentials before writing them to the designated log file path at /var/log/ltm. This represents a direct violation of security best practices and creates an information disclosure vulnerability that exposes cryptographic keys and authentication mechanisms to unauthorized parties.
The operational impact of this vulnerability is severe as it compromises the fundamental security posture of F5 BIG-IP deployments that utilize HSMs for cryptographic operations. When the HSM partition password is logged in cleartext, any individual with access to the system's log files or the ability to read the /var/log/ltm directory can extract this sensitive information. This exposure enables attackers to gain unauthorized access to the HSM partitions and potentially compromise all cryptographic operations protected by these security modules. The vulnerability affects clustered deployments where multiple blades work together to provide high availability and redundancy, making it particularly dangerous in production environments where security is paramount. This flaw directly aligns with CWE-312 Cleartext Storage of Sensitive Information and represents a significant weakness in the principle of least privilege and secure credential handling.
Organizations affected by this vulnerability should immediately implement mitigations including restricting access to the /var/log/ltm directory through file system permissions and access controls. System administrators should also consider implementing log rotation and monitoring policies to detect unauthorized access attempts to sensitive log files. The most effective long-term solution involves applying the vendor-provided security patches and updates that address the root cause by ensuring that sensitive information is properly encrypted or redacted before logging. Additionally implementing network segmentation and privilege separation can help limit the impact of potential exploitation. This vulnerability demonstrates the importance of secure logging practices and proper credential management in enterprise security infrastructure as outlined in various security frameworks and ATT&CK techniques related to credential access and privilege escalation.