WARNING! Fake news / Disputed / BOGUS

FreeIPA 2.213 Session Hijacking

Credit: rsanchezr
Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[Description] An attacker can hijack the session to unlock the users when they has been locked with his last sesiA3n. ===================================================================== [Session hijacking] This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The advarsary is able to steal or manipulate an active session and use it to gain unathorized access to the application. ===================================================================== [Vulnerability Type] Session hijacking ===================================================================== [Example scenario] We are using two users to explain it: - [DEMO1] = Locked user - [DEMO2] = Normal user The [DEMO1] has been locked to the system and we are using the [DEMO2] session to try to unlock the [DEMO1] user but we canA't because we donA't have this privileges so this is correct like you can see in this screenshot. The session hijacking occurs when we use the old session that we had used with [DEMO1] user before lock it. This session hasnA't been deleted/expired so you can it to unlock the [DEMO1] user without problem like you can see in the next evidence. ===================================================================== [Vendor of Product] Redhat ===================================================================== [Affected Product Code Base] FreeIPA 2.213 ===================================================================== [Affected Component] Affected client web browser/Active Directory Users ===================================================================== [Attack Type] Remote ===================================================================== [Discoverer] Ricardo Sanchez Ruiz ===================================================================== [Username] rsanchezr ===================================================================== [CVE] CVE-2017-11191

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com


Back to Top