PT-2018-17042 · F5 · Big-Ip Apm

Published

2018-09-13

Updated

2018-12-03

CVE-2018-5548

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions BIG-IP APM versions 11.6.0 through 11.6.3

Description The issue concerns the use of an insecure AES ECB mode for the orig uri parameter in an undisclosed /vdesk link of APM virtual server configured with an access profile. This allows a malicious user to build a redirect URI value using different blocks of cipher texts.

Recommendations For BIG-IP APM versions 11.6.0 through 11.6.3, consider restricting access to the undisclosed /vdesk link of APM virtual server configured with an access profile until a fix is available. As a temporary workaround, avoid using the orig uri parameter in the affected link to minimize the risk of exploitation.

Exploit

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

CVE-2018-5548

Affected Products

Big-Ip Apm

PT-2018-17042 · F5 · Big-Ip Apm

CVE-2018-5548

Weakness Enumeration

Related Identifiers

Affected Products

References · 5