BIG-IP Configuration Utility Vulnerability Allowing Unauthenticated Access to Static Information

A vulnerability exists in the BIG-IP system's Configuration utility, where undisclosed endpoints containing static, non-sensitive information are accessible to unauthenticated remote attackers. This issue affects BIG-IP versions 15.1.0 through 15.1.10, 16.1.0 through 16.1.6, and 17.1.0 through 17.1.2. The vulnerability arises from improper access controls, allowing attackers to use the management port or self IP addresses to reach these endpoints. Notably, this issue does not expose any data plane information, focusing solely on the control plane.

Impact

Exploitation of this vulnerability could lead to unauthorized access to non-sensitive static information via the Configuration utility, potentially allowing attackers to gather information that could be useful for further attacks or exploitation.

Remediation

Users can block access to the Configuration utility through self IP addresses by changing the Port Lockdown setting to Allow None for each self IP address. If access through the management interface is necessary, it should be restricted to trusted users and devices over a secure network.