F5OS-A FIPS HSM Vulnerability on rSeries Systems

A vulnerability in F5OS-A software allows a highly privileged authenticated attacker to access sensitive information from the FIPS hardware security module (HSM) on F5 rSeries systems. This issue is present in F5OS-A versions 1.5.1 through 1.5.2 and 1.8.0, and it affects F5 rSeries r5920-DF (C136) and r10920-DF (C137) systems. The vulnerability arises because the attacker can read process information during a brief time window, exposing sensitive HSM data. This is a control plane issue, with no data plane exposure.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive FIPS HSM information, potentially allowing a highly privileged authenticated attacker to misuse this data.

Remediation

Users can upgrade to F5OS-A version 1.8.3 or 1.5.3 to address this vulnerability. For more information about F5 product releases, refer to the F5 product and services lifecycle policy index.