CVE-2019-19150 in BIG-IP APMinfo

Summary

by MITRE

On versions 15.0.0-15.0.1.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, the BIG-IP APM system logs the client-session-id when a per-session policy is attached to the virtual server with debug logging enabled.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 03/16/2024

The vulnerability identified as CVE-2019-19150 affects F5 BIG-IP Application Visibility and Management (APM) systems across multiple version ranges including 15.0.0-15.0.1.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1. This issue represents a significant security flaw in the system's logging mechanisms that could expose sensitive session information to unauthorized parties. The vulnerability specifically manifests when debug logging is enabled on virtual servers that have per-session policies attached, creating an unintended data exposure channel that violates fundamental security principles of information hiding and access control.

The technical flaw stems from the improper handling of session identifiers within the BIG-IP APM system's logging infrastructure. When debug logging is enabled and a per-session policy is active on a virtual server, the system inadvertently includes the client-session-id in its log output. This creates a direct exposure of session-specific identifiers that should remain confidential and protected from unauthorized access. The vulnerability is classified under CWE-200 as "Information Exposure" and more specifically relates to CWE-312 as "Sensitive Information Exposure" since it exposes session identifiers that could be used for session hijacking or other malicious activities. The flaw exists at the application level within the logging subsystem where session context information is not properly sanitized before being written to log files.

The operational impact of this vulnerability extends beyond simple information disclosure, as the exposed client-session-id can be leveraged by attackers to perform session hijacking attacks or gain unauthorized access to user sessions. This vulnerability directly aligns with ATT&CK technique T1563.002 "Access Token Manipulation" and T1078 "Valid Accounts" as it could enable attackers to impersonate legitimate users by leveraging the exposed session identifiers. Organizations running affected BIG-IP systems face potential compromise of user sessions, unauthorized access to protected resources, and possible data breaches. The exposure occurs in a production environment where debug logging is enabled, which is often used for troubleshooting purposes but creates a persistent security risk when session identifiers are logged without proper sanitization.

Mitigation strategies for CVE-2019-19150 should focus on immediate operational changes and long-term architectural improvements. Organizations should disable debug logging on production systems where per-session policies are implemented, as this is the most direct and effective way to prevent the vulnerability from being exploited. Additionally, system administrators should implement proper log sanitization procedures that automatically filter out session identifiers and other sensitive information from log files. The implementation of principle of least privilege should be enforced where debug logging is only enabled temporarily for troubleshooting purposes and immediately disabled afterward. Organizations should also consider implementing log monitoring and alerting systems that can detect unusual patterns in log files that might indicate session identifier exposure. Compliance with NIST SP 800-53 controls such as SI-7 (Security Notifications) and CM-6 (Configuration Settings) should be enforced to ensure proper logging practices are maintained. Regular vulnerability assessments and penetration testing should be conducted to identify similar logging vulnerabilities across the entire BIG-IP infrastructure and other network components.

Reservation

11/21/2019

Moderation

accepted

CPE

ready

EPSS

0.00828

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!