F5 Networks BIG-IP Edge Client: session ID vulnerability (K06635145)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

A web client installed on the remote Windows host is affected
by a session id disclosure vulnerability.

Description :

The version of the Big-IP Edge Client installed on the remote Windows
host is in the range 7071.x through 7132.x. It is, therefore, affected
by a flaw in the BIG-IP Edge Client that exposes the current session
ID as part of the request URI when sending Keep-Alive requests over
an SSL channel. This approach can lead to exploit vulnerabilities in
man-in-the-middle (MITM) SSL terminating proxies, which log the
complete URI in their logs.

See also :

https://support.f5.com/csp/article/K06635145
http://www.nessus.org/u?d060f053

Solution :

Upgrade your Big-IP device to 13.0.0 and ensure that all clients
reinstall their Edge clients from the upgraded device.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.2
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows

Nessus Plugin ID: 102732 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now