Security Advisory Description
An authenticated user’s session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform. (CVE-2023-40537)
Impact
A remote unauthenticated attacker may be able to reuse, for a limited time, an authenticated user’s session cookie generated from the Configuration utility and access through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. In the case of administrator role user session cookie reuse, it may allow full control of the BIG-IP VIPRION system. Exploiting this vulnerability requires the attacker to gather knowledge about the BIG-IP system’s environment and inject themselves into the logical network path to capture the user’s Configuration utility session cookie. By default, a session cookie can be used only from the same IP address that it was originally provided to; this is controlled by the auth-pam-validate-ip setting (default on) for thesys httpd module using the TMOS Shell (tmsh). This vulnerability affects only VIPRION platforms with multiple blades; single-blade VIPRION systems and all other BIG-IP platforms are not affected. There is no data plane exposure; this is a control plane issue only.