Security restrictions bypass in Hardware solutions

#VU8921 Security restrictions bypass in Hardware solutions

Published: 2017-10-24

Vulnerability identifier: #VU8921

Vulnerability risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-6145

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vendor: F5 Networks

Description
The vulnerability allows a remote attacker to gain unauthorized access to the iControl REST API.

The weakness exists in the iControl REST API of multiple F5 BIG-IP systems due to improper validation of cookies when the iControl REST API converts BIGIPAuthCookie authorization cookies to X-F5-Auth-Token tokens.A remote attcker can obtain an expired BIG-IP authentication cookie could exploit this vulnerability to access valid iControl REST tokens, which could be used to access the iControl REST API on a targeted system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

BIG-IP WebSafe: 12.0 - 13.0.0

BIG-IP Link Controller: 12.0.0 - 13.0.0

BIG-IP ASM: 12.0.0 - 13.0.0

BIG-IP Analytics: 12.0.0 - 13.0.0

BIG-IP AAM: 12.0.0 - 13.0.0

External links
http://support.f5.com/csp/article/K22317030

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security restrictions bypass in F5 BIG-IP