medium
5.9
CWE
203
Advisory Published
Updated

CVE-2020-5929

First published: Fri Sep 25 2020(Updated: )

In versions 13.0.0-13.0.0 HF2, 12.1.0-12.1.2 HF1, and 11.6.1-11.6.2, BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a Virtual Server configured with a Client SSL profile, and using Anonymous (ADH) or Ephemeral (DHE) Diffie-Hellman key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/TLS Handshakes that may result with a PMS (Pre-Master Secret) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Similar error messages when PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability.

Credit: f5sirt@f5.com

Affected SoftwareAffected VersionHow to fix
F5 Access Policy Manager>=11.6.1<11.6.2
F5 Access Policy Manager>=12.1.0<12.1.2
F5 Access Policy Manager=11.6.2
F5 Access Policy Manager=12.1.2
F5 Access Policy Manager=12.1.2-hotfix1
F5 Access Policy Manager=13.0.0
F5 Access Policy Manager=13.0.0-hotfix1
F5 Access Policy Manager=13.0.0-hotfix2
F5 BIG-IP Advanced Firewall Manager>=11.6.1<11.6.2
F5 BIG-IP Advanced Firewall Manager>=12.1.0<12.1.2
F5 BIG-IP Advanced Firewall Manager=11.6.2
F5 BIG-IP Advanced Firewall Manager=12.1.2
F5 BIG-IP Advanced Firewall Manager=12.1.2-hotfix1
F5 BIG-IP Advanced Firewall Manager=13.0.0
F5 BIG-IP Advanced Firewall Manager=13.0.0-hotfix1
F5 BIG-IP Advanced Firewall Manager=13.0.0-hotfix2
F5 BIG-IP Advanced WAF/ASM>=11.6.1<11.6.2
F5 BIG-IP Advanced WAF/ASM>=12.1.0<12.1.2
F5 BIG-IP Advanced WAF/ASM=11.6.2
F5 BIG-IP Advanced WAF/ASM=12.1.2
F5 BIG-IP Advanced WAF/ASM=12.1.2-hotfix1
F5 BIG-IP Advanced WAF/ASM=13.0.0
F5 BIG-IP Advanced WAF/ASM=13.0.0-hotfix1
F5 BIG-IP Advanced WAF/ASM=13.0.0-hotfix2
F5 BIG-IP Analytics>=11.6.1<11.6.2
F5 BIG-IP Analytics>=12.1.0<12.1.2
F5 BIG-IP Analytics=11.6.2
F5 BIG-IP Analytics=12.1.2
F5 BIG-IP Analytics=12.1.2-hotfix1
F5 BIG-IP Analytics=13.0.0
F5 BIG-IP Analytics=13.0.0-hotfix1
F5 BIG-IP Analytics=13.0.0-hotfix2
F5 BIG-IP Application Acceleration Manager>=11.6.1<11.6.2
F5 BIG-IP Application Acceleration Manager>=12.1.0<12.1.2
F5 BIG-IP Application Acceleration Manager=11.6.2
F5 BIG-IP Application Acceleration Manager=12.1.2
F5 BIG-IP Application Acceleration Manager=12.1.2-hotfix1
F5 BIG-IP Application Acceleration Manager=13.0.0
F5 BIG-IP Application Acceleration Manager=13.0.0-hotfix1
F5 BIG-IP Application Acceleration Manager=13.0.0-hotfix2
F5 Application Security Manager>=11.6.1<11.6.2
F5 Application Security Manager>=12.1.0<12.1.2
F5 Application Security Manager=11.6.2
F5 Application Security Manager=12.1.2
F5 Application Security Manager=12.1.2-hotfix1
F5 Application Security Manager=13.0.0
F5 Application Security Manager=13.0.0-hotfix1
F5 Application Security Manager=13.0.0-hotfix2
F5 BIG-IP DDoS Hybrid Defender>=11.6.1<11.6.2
F5 BIG-IP DDoS Hybrid Defender>=12.1.0<12.1.2
F5 BIG-IP DDoS Hybrid Defender=11.6.2
F5 BIG-IP DDoS Hybrid Defender=12.1.2
F5 BIG-IP DDoS Hybrid Defender=12.1.2-hotfix1
F5 BIG-IP DDoS Hybrid Defender=13.0.0
F5 BIG-IP DDoS Hybrid Defender=13.0.0-hotfix1
F5 BIG-IP DDoS Hybrid Defender=13.0.0-hotfix2
F5 BIG-IP>=11.6.1<11.6.2
F5 BIG-IP>=12.1.0<12.1.2
F5 BIG-IP=11.6.2
F5 BIG-IP=12.1.2
F5 BIG-IP=12.1.2-hotfix1
F5 BIG-IP=13.0.0
F5 BIG-IP=13.0.0-hotfix1
F5 BIG-IP=13.0.0-hotfix2
F5 BIG-IP Fraud Protection Service>=11.6.1<11.6.2
F5 BIG-IP Fraud Protection Service>=12.1.0<12.1.2
F5 BIG-IP Fraud Protection Service=11.6.2
F5 BIG-IP Fraud Protection Service=12.1.2
F5 BIG-IP Fraud Protection Service=12.1.2-hotfix1
F5 BIG-IP Fraud Protection Service=13.0.0
F5 BIG-IP Fraud Protection Service=13.0.0-hotfix1
F5 BIG-IP Fraud Protection Service=13.0.0-hotfix2
Riverbed SteelApp Traffic Manager>=11.6.1<11.6.2
Riverbed SteelApp Traffic Manager>=12.1.0<12.1.2
Riverbed SteelApp Traffic Manager=11.6.2
Riverbed SteelApp Traffic Manager=12.1.2
Riverbed SteelApp Traffic Manager=12.1.2-hotfix1
Riverbed SteelApp Traffic Manager=13.0.0
Riverbed SteelApp Traffic Manager=13.0.0-hotfix1
Riverbed SteelApp Traffic Manager=13.0.0-hotfix2
F5 BIG-IP Link Controller>=11.6.1<11.6.2
F5 BIG-IP Link Controller>=12.1.0<12.1.2
F5 BIG-IP Link Controller=11.6.2
F5 BIG-IP Link Controller=12.1.2
F5 BIG-IP Link Controller=12.1.2-hotfix1
F5 BIG-IP Link Controller=13.0.0
F5 BIG-IP Link Controller=13.0.0-hotfix1
F5 BIG-IP Link Controller=13.0.0-hotfix2
Riverbed SteelApp Traffic Manager>=11.6.1<11.6.2
Riverbed SteelApp Traffic Manager>=12.1.0<12.1.2
Riverbed SteelApp Traffic Manager=11.6.2
Riverbed SteelApp Traffic Manager=12.1.2
Riverbed SteelApp Traffic Manager=12.1.2-hotfix1
Riverbed SteelApp Traffic Manager=13.0.0
Riverbed SteelApp Traffic Manager=13.0.0-hotfix1
Riverbed SteelApp Traffic Manager=13.0.0-hotfix2
F5 BIG-IP Policy Enforcement Manager>=11.6.1<11.6.2
F5 BIG-IP Policy Enforcement Manager>=12.1.0<12.1.2
F5 BIG-IP Policy Enforcement Manager=11.6.2
F5 BIG-IP Policy Enforcement Manager=12.1.2
F5 BIG-IP Policy Enforcement Manager=12.1.2-hotfix1
F5 BIG-IP Policy Enforcement Manager=13.0.0
F5 BIG-IP Policy Enforcement Manager=13.0.0-hotfix1
F5 BIG-IP Policy Enforcement Manager=13.0.0-hotfix2
F5 BIG-IP SSL Orchestrator>=11.6.1<11.6.2
F5 BIG-IP SSL Orchestrator>=12.1.0<12.1.2
F5 BIG-IP SSL Orchestrator=11.6.2
F5 BIG-IP SSL Orchestrator=12.1.2
F5 BIG-IP SSL Orchestrator=12.1.2-hotfix1
F5 BIG-IP SSL Orchestrator=13.0.0
F5 BIG-IP SSL Orchestrator=13.0.0-hotfix1
F5 BIG-IP SSL Orchestrator=13.0.0-hotfix2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2020-5929?

    CVE-2020-5929 has a medium severity rating due to its potential impact on secure communications.

  • How do I fix CVE-2020-5929?

    To fix CVE-2020-5929, update the affected F5 BIG-IP software to a non-vulnerable version as specified in the vendor's security advisory.

  • Which F5 BIG-IP versions are affected by CVE-2020-5929?

    Affected versions of F5 BIG-IP include 11.6.1 to 11.6.2, 12.1.0 to 12.1.2, and 13.0.0 to 13.0.0 HF2.

  • What types of attacks does CVE-2020-5929 expose systems to?

    CVE-2020-5929 can expose systems to potential man-in-the-middle attacks due to weakness in key exchange configurations.

  • Is there a workaround for CVE-2020-5929?

    A potential workaround is to disable the use of Anonymous Diffie-Hellman and Ephemeral Diffie-Hellman key exchanges until a patch is applied.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203