CVE-2020-14248 : Security Advisory and Response

BigFix Inventory up to v10.0.2 has a security misconfiguration that can lead to the exposure of session cookies in HTTP requests, making it vulnerable to remote attackers.

Understanding CVE-2020-14248

This CVE identifies a security misconfiguration in HCL BigFix Inventory versions up to v10.0.2.

What is CVE-2020-14248?

BigFix Inventory up to v10.0.2 fails to set the secure flag for the session cookie in HTTPS sessions, potentially allowing remote attackers to intercept the cookie in HTTP requests.

The Impact of CVE-2020-14248

The vulnerability can result in the exposure of sensitive session cookies, increasing the risk of unauthorized access and potential data breaches.

Technical Details of CVE-2020-14248

This section provides detailed technical information about the vulnerability.

Vulnerability Description

BigFix Inventory up to v10.0.2 does not set the secure flag for the session cookie in HTTPS sessions, making it susceptible to interception in HTTP requests.

Affected Systems and Versions

Product: HCL BigFix Inventory
Versions: v9, v10.0.x

Exploitation Mechanism

The lack of the secure flag for session cookies in HTTPS sessions allows attackers to capture the cookie in HTTP requests, compromising user sessions.

Mitigation and Prevention

Protect your systems from CVE-2020-14248 by following these mitigation strategies.

Immediate Steps to Take

Upgrade BigFix Inventory to a patched version that addresses the security misconfiguration.
Implement HTTPS-only communication to reduce the risk of cookie interception.

Long-Term Security Practices

Regularly monitor and update security configurations to prevent similar misconfigurations.
Conduct security audits to identify and address potential vulnerabilities proactively.

Patching and Updates

Apply security patches and updates provided by HCL for BigFix Inventory to mitigate the vulnerability effectively.