K66171422 : BIG-IP APM redirect vulnerability CVE-2018-5548

Security Advisory Description

An insecure AES ECB mode is used for orig_uri parameter in an undisclosed /vdesk link of APM virtual server configured with an access profile, allowing a malicious user to build a redirect URI value using different blocks of cipher texts. (CVE-2018-5548)

Impact

An attacker can forge a URL with an obfuscated (encrypted and encoded) value in an orig_uriparameter. An authenticated user with an established access session to the BIG-IP APM system may be redirected to a malicious website following the forged URL.