Cyber Resilience

CVE-2023-43611

High

Published: 10 October 2023

Published
10 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 28.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-43611 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. This vulnerability is due to an incomplete fix for CVE-2023-38418. Note: Software versions which have reached End of Technical Support (EoTS)…

more

are not evaluated

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

f5
big-ip access policy manager
7.2.3 — 7.2.4.4 · 13.1.0 — 13.1.5 · 14.1.0 — 14.1.5
f5
big-ip advanced firewall manager
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.9
f5
big-ip advanced web application firewall
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.9
f5
big-ip analytics
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.9
f5
big-ip application acceleration manager
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.9
f5
big-ip application security manager
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.9
f5
big-ip application visibility and reporting
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.9
f5
big-ip carrier-grade nat
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.9
f5
big-ip ddos hybrid defender
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.9
f5
big-ip domain name system
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.9
+9 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-347

Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.

addresses: CWE-347

Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.

addresses: CWE-347

PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.

addresses: CWE-347

Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.

addresses: CWE-347

Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.

addresses: CWE-347

Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.

addresses: CWE-347

Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.

References