BID:106198

IBM BigFix Platform Multiple Security Vulnerabilities

Info

IBM BigFix Platform Multiple Security Vulnerabilities

Bugtraq ID:	106198
Class:	Input Validation Error
CVE:	CVE-2018-1474 CVE-2018-1476 CVE-2018-1478 CVE-2018-1480 CVE-2018-1481 CVE-2018-1484 CVE-2018-1485
Remote:	Yes
Local:	No
Published:	Oct 19 2018 12:00AM
Updated:	Oct 19 2018 12:00AM
Credit:	IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza
Vulnerable:	IBM BigFix Platform 9.5.9 IBM BigFix Platform 9.5.8 IBM BigFix Platform 9.5.7 IBM BigFix Platform 9.5.6 IBM BigFix Platform 9.5.5 IBM BigFix Platform 9.5.4 IBM BigFix Platform 9.5.2 IBM BigFix Platform 9.2.14 IBM BigFix Platform 9.2.12 IBM BigFix Platform 9.2.10 IBM BigFix Platform 9.2.9 IBM BigFix Platform 9.2.8 IBM BigFix Platform 9.2.6 IBM BigFix Platform 9.5 IBM BigFix Platform 9.2

Not Vulnerable:	IBM BigFix Platform 9.5.10 IBM BigFix Platform 9.2.15

Discussion

IBM BigFix Platform Multiple Security Vulnerabilities

IBM BigFix Platform is prone to the following multiple security vulnerabilities:

1. An HTTP response splitting Vulnerability
2. A click-jacking Vulnerability
3. Multiple information-disclosure vulnerabilities
4. A session-hijacking vulnerability

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials, perform unauthorized actions or obtain sensitive information.

BigFix Platform versions 9.5 through 9.5.9 and 9.2 through 9.2.1 are vulnerable.

Exploit / POC

IBM BigFix Platform Multiple Security Vulnerabilities

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Solution / Fix

IBM BigFix Platform Multiple Security Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.

References

IBM BigFix Platform Multiple Security Vulnerabilities

References:

IBM Homepage (IBM)
BigFix Platform 9.5.x / 9.2.x affected by multiple vulnerabilities (IBM)