Vulnerability

CERT-In Vulnerability Note CIVN-2025-0035
Multiple Vulnerabilities F5 Products

Original Issue Date:February 27, 2025

Severity Rating: HIGH

Software Affected

BIG-IP Next (all modules)
BIG-IP Next Central Manager
BIG-IP Next SPK
BIG-IP Next CNF
BIG-IP 15.x, 16.x, 17.x
BIG-IQ Centralized Management 8.x
F5 Distributed Cloud (all services)
F5 Silverline (all services)
NGINX One Console
F5OS-A
F5OS-C
NGINX (all products)
Traffix SDC

Overview

Multiple Vulnerabilities have been reported in F5 Products. An attacker could exploit these vulnerabilities to execute arbitrary commands or denial of service, buffer overflows, session hijacking, and improper memory management on targeted device.

Target Audience:
Enterprise IT Departments, Network Administrators and Security Professionals, Cloud and DevOps Teams, Web Application Developers, Service Providers and Managed Service Providers, Security Operations Teams, CIOs and IT Leaders.

Risk Assessment:
Critical risks on confidentiality, integrity, and availability of the systems.

Impact Assessment:
Unauthorized access to sensitive information, compromise of integrity and confidentiality.

Description

F5 primarily focuses on ensuring that applications are secure, high-performing, and available. They provide a range of products and services designed to optimize the delivery of applications across the internet and private networks, addressing performance, security, and scalability concerns.

1. Denial of services Vulnerability in zlib ( CVE-2016-9840   CVE-2016-9841   )

These vulnerabilities exist in inffast.c file of zlib 1.2.8 due to improper pointer arithmetic. A context-dependent attacker could exploit these vulnerabilities arithmetic to trigger undefined behaviour.
Successfully exploitation of these vulnerabilities could allow an attacker to execute arbitrary Code or leading to a denial of service on the targeted system.

2. Session Fixation Vulnerability in Apache Tomcat ( CVE-2019-17563   )

This vulnerability allows an attacker by using the FORM authentication function to hijack the session once the user logs in, gaining access to their authenticated session without needing the correct credentials. This could potentially lead to unauthorized access to sensitive information or actions performed by the user.

3. Denial of service Vulnerability in MiniZip ( CVE-2023-45853   )

This vulnerability exists in the MiniZip component of zlib version 1.3 involves an integer overflow and a heap-based buffer overflow. It occurs specifically in the function zipOpenNewFileInZip4_64 when processing long filenames, comments, or extra fields.
Successfully exploitation of this vulnerability could allow an attacker to execute arbitrary Code or leading to a denial of service on the targeted system.

4. Denial of service Vulnerability in Tcpdump ( CVE-2020-8037   )

This vulnerability exists in Tcpdump due to memory management error in ppp decapsulator. An attacker could exploit this vulnerability to convince tcpdump to allocate a large amount of memory, which can lead to various issues, such as resource exhaustion, potentially denial of service (DoS), and in some cases, memory corruption.

Solution

Apply appropriate security updates as mentioned in:
https://my.f5.com/manage/s/article/K000149905

https://my.f5.com/manage/s/article/K24551552

https://my.f5.com/manage/s/article/K000149884

https://my.f5.com/manage/s/article/K000149929

https://my.f5.com/manage/s/article/K000149915

Vendor Information

F5
https://my.f5.com/manage/s/article/K000149905
https://my.f5.com/manage/s/article/K24551552
https://my.f5.com/manage/s/article/K000149884
https://my.f5.com/manage/s/article/K000149929
https://my.f5.com/manage/s/article/K000149915

References

CVE Name
CVE-2016-9840
CVE-2016-9841
CVE-2019-17563
CVE-2023-45853
CVE-2020-8037

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India