Operational Defect Database
BugZero found this defect 1231 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
F5 | 928161
Local password policy not enforced when auth source is set to a remote type.
Last update date:
4/26/2024
Affected products:
BIG-IP
BIG-IP TMOS
Affected releases:
13.0.0
13.0.0 HF1
13.0.0 HF2
13.0.0 HF3
13.0.1
13.1.0
13.1.0.1
13.1.0.2
13.1.0.3
13.1.0.4
13.1.0.5
13.1.0.6
Fixed releases:
No fixed releases provided.
Description:
Bug ID 928161: Local password policy not enforced when auth source is set to a remote type. ... Symptoms ... The local password policy is not enforced when the auth source type is set to the value of 'Remote'. ... Any non-default password policy changes are not enforced for local users. ... Impact ... The system does not enforce any of the non-default local password policy options. ... For example, even if the required-uppercase is set to 2, a local user's password can be set to something less than 2. ... Even if the minimum-length is set to 12, a local user's password can be set to something less than 12. ... Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default). ... Conditions ... 1) Some parts of the local password policy has been changed from the default values, for example, changing the password required-uppercase to 2. 2) The auth source is set to a remote source, such as LDAP, AD, or TACACS.
