PT-2017-3145 · F5 · F5 Big-Ip

Published

2017-07-13

Updated

2017-11-15

CVE-2017-6145

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions F5 BIG-IP versions 12.0.0 through 12.1.2 F5 BIG-IP versions 13.0.0

Description The issue is related to the iControl REST service in F5 BIG-IP products, which improperly re-validates cookies when converting them to X-F5-Auth-Token tokens. This allows once-valid but now expired cookies to be converted to valid tokens, potentially granting unauthorized access to the iControl REST interface.

Recommendations For versions 12.0.0 through 12.1.2, update to a version outside of this range to resolve the issue. For version 13.0.0, update to a version later than 13.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the iControl REST interface to minimize the risk of exploitation.

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

BDU:2017-02557

CVE-2017-6145

Affected Products

F5 Big-Ip

PT-2017-3145 · F5 · F5 Big-Ip

CVE-2017-6145

Weakness Enumeration

Related Identifiers

Affected Products

References · 4