In F5 BIG-IP PEM 12.1.0 through 12.1.2 when downloading the Type Allocation Code (TAC) database file via HTTPS, the server's certificate is not verified. Attackers in a privileged network position may be able to launch a man-in-the-middle attack against these connections. TAC databases are used in BIG-IP PEM for Device Type and OS (DTOS) and Tethering detection. Customers not using BIG-IP PEM, not configuring downloads of TAC database files, or not using HTTP for that download are not affected.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2024-09-17T00:40:56.361Z

Reserved: 2017-02-21T00:00:00

Link: CVE-2017-6144

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2017-10-20T15:29:00.427

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-6144

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.