CVE-2019-6607 in BIG-IP ASM
Summary
by MITRE
On BIG-IP ASM 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.3, and 14.0.0-14.0.0.2, there is a stored cross-site scripting vulnerability in an ASM violation viewed in the Configuration utility. In the worst case, an attacker can store a CSRF which results in code execution as the admin user.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/17/2023
The vulnerability described in CVE-2019-6607 represents a critical stored cross-site scripting flaw within F5 BIG-IP Application Security Manager (ASM) across multiple version ranges including 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.3, and 14.0.0-14.0.0.2. This vulnerability exists within the ASM violation viewing functionality of the Configuration utility, making it particularly dangerous as it affects the administrative interface where security policies and configurations are managed. The flaw allows attackers to inject malicious scripts into the system that persist in the violation records, creating a stored XSS condition that can be triggered whenever administrators view these records.
The technical nature of this vulnerability stems from inadequate input validation and output encoding within the ASM violation display mechanism. When administrators access the Configuration utility to review security violations, the system fails to properly sanitize or escape user-supplied data that may have been stored in violation records. This creates an environment where malicious scripts can be executed in the context of the administrator's browser session, effectively bypassing normal security controls. The vulnerability specifically impacts the web interface used for managing application security policies, where violation details are displayed to authenticated users.
The operational impact of this vulnerability is severe and can result in complete system compromise when exploited successfully. An attacker who can inject malicious content into violation records can potentially execute arbitrary code with the privileges of the administrative user, leading to full system takeover. The stored nature of the vulnerability means that the malicious payload remains persistent even after the initial injection, allowing attackers to maintain access over extended periods. This particular flaw is especially concerning because it targets the configuration utility where administrators spend significant time managing security policies, making it a prime target for privilege escalation attacks.
The vulnerability aligns with CWE-79 which describes cross-site scripting flaws, and demonstrates characteristics consistent with ATT&CK technique T1059.007 for command and scripting interpreter, as successful exploitation can lead to code execution. Additionally, this vulnerability reflects ATT&CK technique T1078.004 for valid accounts, as it allows attackers to escalate privileges and operate with administrative rights. The threat model indicates that this vulnerability could be exploited by attackers with minimal privileges to gain administrative access, making it particularly dangerous in environments where multiple users have access to the configuration interface. Organizations should consider implementing network segmentation and access controls to limit exposure, while also applying the appropriate vendor patches to address this critical vulnerability.
Mitigation strategies should include immediate patching of affected BIG-IP versions, implementation of network access controls to restrict access to the Configuration utility, and enhanced monitoring of violation records for suspicious entries. Organizations should also consider implementing web application firewalls to detect and block malicious script injection attempts, while conducting regular security assessments to identify potential exploitation vectors. The vulnerability serves as a reminder of the critical importance of maintaining up-to-date security patches and the need for comprehensive input validation across all user-facing application interfaces.