CVE-2024-43685

Vulnerability Description: Improper Authentication – CWE-287

Software Version: 2.3.12

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43685

CVSS: 9.8

Severity: Critical

Credits: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

The device provides a new cookie 'ci_session' before the login. This coookie will be used in the post login session. An attacker able to obtain the cookie before the login, could use it to hijack the session.

Step-by-step instructions and PoC

The attack consists of obtaining a valid session token, inducing a user to authenticate himself with that session token, and then hijacking the user-validated session by the knowledge of the used session token.

Below are the evidences with the vulnerability details and the payloads used.

An authenticated user performs the logout operation.

The user is redirect to the login page and the new token is obtained.

Then the new session token is used for the subsequent login.

This token could be captured and used by the attacker.

Moreover, it is possible for an attacker to create a cookie with a chosen value (N.B. this value must have the same length as the original one) performing a request for an unauthenticated resource (e.g. topbardata).

Then the real user has to login by using the created token.

As showed in the next picture the token is used in the user session.

Finally, the attacker could exploit the created token to access the application without knowing the credentials (e.g. access to the dashboard).

Security Impact

The Session Fixation attack fixes an established session on the victim’s browser, so the attack starts before the user logs in. As matter of fact an attacker could access and use the web application without knowing the credentials.