CVE-2016-2952

Vulnerability

IBM BigFix Remote Control versions prior to 9.1.3 do not send the HTTP Strict Transport Security (HSTS) header in responses. This means that when a client connects over HTTP, the server does not instruct the browser to enforce HTTPS for future connections. The missing HSTS header is a security hardening deficiency that weakens the protection against protocol downgrade attacks. [1]

Exploitation

An attacker with network access (e.g., on the same network segment or via a compromised router) can perform a man-in-the-middle attack. By intercepting an initial HTTP request from a client to the BigFix Remote Control server, the attacker can downgrade the connection to plain HTTP or inject malicious content. No authentication or user interaction beyond the initial HTTP request is required. [1]

Impact

Successful exploitation allows the attacker to obtain sensitive information transmitted over the HTTP connection, such as session tokens or credentials. The confidentiality of communications is compromised, potentially leading to further unauthorized access. The attack does not provide code execution or direct system compromise. [1]

Mitigation

The vulnerability is fixed in IBM BigFix Remote Control version 9.1.3, released in October 2016. Users should upgrade to this version or later. No workaround is documented; the fix is included in the application update. [1]