Bug ID 1332781: A remote user with the same username as the local F5OS user will be granted the local user's roles

Last Modified: Oct 21, 2024

Affected Product(s):
F5OS Velos(all modules)

Fixed In:
F5OS-C 1.6.2, F5OS-A 1.8.0, F5OS-A 1.5.2

Opened: Aug 21, 2023

Severity: 1-Blocking

Symptoms

If you create a remote user on the RADIUS, TACACS+, or LDAP servers with the same username as a local F5OS user, the remote user will be granted the local user's roles upon authentication.

Impact

Remote user will take the local user's privileges.

Conditions

A remote user is created with the same username as a local user and remote authentication is enabled.

Workaround

Do not create a remote user with the same username as the local user. If you have created already, change the username for either the local user or the remote user.

Fix Information

If a remote user is created with the same username as a local user, the remote user's authentication will be rejected. Only the local user will have access to the F5OS system.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips