Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP AFM, APM, LTM
Fixed In:
14.1.0, 13.1.0.8
Opened: Mar 28, 2018 Severity: 2-Critical
The Network Device and Firewall collaborative Protection Profiles v2.0 require certain behavior for locking and unlocking administrative-user accounts on the BIG-IP system. BIG-IP software needs to be enhanced for compliance with those requirements.
Without these enhancements activated, the BIG-IP system is not compliant with Common Criteria requirements.
The ccmode script must be run to activate these enhancements. Also, see the Common Criteria Guidance document (published when the certificate is obtained) for more details.
Risk acceptance for Common Criteria non-compliance.
To meet Common Criteria requirements, the BIG-IP system is enhanced in two areas: 1. The primary administrative user account (generally 'admin') can be locked out, as any other administrative-user account can be. However, it is never locked out when signing in from the serial console. 2. Locked out administrative-users are unlocked only after an administrator-specified time period has passed. The default is 10 minutes, and is set in the ccmode script.