Vigil@nce - F5 BIG-IP: information disclosure via iControl REST
June 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can query the interface iControl REST of
F5 BIG-IP, in order to obtain sensitive information.
– Impacted products: BIG-IP Hardware, TMOS.
– Severity: 1/4.
– Creation date: 10/06/2016.
– Revision date: 16/06/2016.
DESCRIPTION OF THE VULNERABILITY
The F5 BIG-IP product includes a "web services" based interface
for administration automation.
However, the HTTP server does not fully check the requests, and
for some requests ther eply includes private data.
An authenticated attacker can therefore query the interface
iControl REST of F5 BIG-IP, in order to obtain sensitive
information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/F5-BIG-IP-information-disclosure-via-iControl-REST-19863