CVE-2019-6636 in BIG-IP AFM
Summary
by MITRE
On BIG-IP (AFM, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a stored cross-site scripting vulnerability in AFM feed list. In the worst case, an attacker can store a CSRF which results in code execution as the admin user. The level of user role which can perform this attack are resource administrator and administrator.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/17/2023
The vulnerability identified as CVE-2019-6636 represents a critical stored cross-site scripting flaw within F5 BIG-IP Access Policy Manager (AFM) components. This vulnerability specifically affects multiple versions of the BIG-IP platform including 14.1.0 through 14.1.0.5, 14.0.0 through 14.0.0.4, 13.0.0 through 13.1.1.4, 12.1.0 through 12.1.4, and 11.5.1 through 11.6.4. The flaw exists within the AFM feed list functionality, which serves as a critical component for managing network access policies and threat intelligence feeds. This vulnerability operates under the CWE-0000079 weakness classification, which specifically addresses cross-site scripting vulnerabilities that occur when untrusted data is included in web pages without proper validation or encoding.
The technical implementation of this vulnerability allows attackers to inject malicious scripts into the AFM feed list functionality through carefully crafted input that gets stored within the system. When the malicious content is subsequently rendered to users, particularly administrators who access the feed list interface, the stored scripts execute in the context of the victim's browser session. This particular flaw becomes especially dangerous when combined with CSRF (Cross-Site Request Forgery) capabilities, as it enables attackers to store malicious payloads that can be executed automatically when administrators interact with the affected interface. The vulnerability's severity is amplified by the fact that it requires only resource administrator or administrator level privileges to exploit, meaning that attackers who have gained access to these roles can leverage the stored XSS to escalate their privileges and achieve full administrative control over the BIG-IP system.
The operational impact of CVE-2019-6636 extends far beyond simple script execution, as it creates a potential pathway for complete system compromise. When an attacker successfully stores malicious content in the AFM feed list, they can potentially execute arbitrary code with the privileges of the administrative user, effectively providing them with complete control over the BIG-IP system's access policies, network configurations, and security settings. This vulnerability directly impacts the integrity and confidentiality of the security infrastructure, as it allows attackers to modify or disable security controls, access sensitive network data, and potentially use the compromised system as a pivot point for further attacks within the network. The vulnerability's presence in multiple versions of the BIG-IP platform means that organizations across various deployment scenarios are potentially at risk, making it a widespread concern for network security teams.
Organizations should implement immediate mitigations including applying the latest security patches released by F5 to address this vulnerability, as well as implementing network segmentation and access controls to limit the scope of potential exploitation. The ATT&CK framework categorizes this vulnerability under techniques related to privilege escalation and persistence, as attackers can use stored XSS to maintain long-term access to compromised systems. Additional defensive measures should include monitoring for suspicious activities in AFM feed management interfaces, implementing web application firewalls to detect and block malicious payloads, and conducting regular security assessments of critical network infrastructure components. The vulnerability underscores the importance of maintaining up-to-date security configurations and the need for comprehensive security monitoring to detect and respond to potential exploitation attempts against critical infrastructure components.