Source: cve@mitre.org
The built-in web servers for multiple networking devices do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the same server.
Multiple networking devices are vulnerable to a cookie-hijacking attack due to a misconfiguration in their built-in web servers. This allows an attacker to intercept sensitive session cookies transmitted over HTTP, potentially leading to account compromise and unauthorized access to the device's configuration and data.
Step 1: User Accesses Device via HTTPS: A legitimate user establishes a secure HTTPS connection to the vulnerable networking device's web interface.
Step 2: Cookie Creation: The device's web server generates a session cookie (e.g., sessionid) to maintain the user's authenticated session.
Step 3: Missing Secure Attribute: The web server fails to set the Secure attribute on the session cookie. This means the cookie is not explicitly restricted to HTTPS.
Step 4: User Accesses Device via HTTP (or is redirected): The user, either intentionally or unintentionally (e.g., via a redirect, a link, or a typo), accesses the device's web interface via HTTP, or the user is tricked into accessing the device via HTTP.
Step 5: Cookie Transmission over HTTP: Because the Secure attribute is missing, the browser sends the session cookie over the unencrypted HTTP connection.
Step 6: Attacker Interception: An attacker, positioned on the same network (e.g., via ARP poisoning or DNS spoofing) or eavesdropping, intercepts the HTTP traffic and captures the session cookie.
Step 7: Session Hijacking: The attacker uses the stolen session cookie to impersonate the legitimate user and gain unauthorized access to the device's web interface.
The vulnerability stems from the web server's failure to set the Secure attribute on sensitive cookies when serving HTTPS traffic. The Secure attribute instructs the browser to only transmit the cookie over HTTPS connections. Without this attribute, the browser may send the cookie over an unencrypted HTTP connection to the same domain if the user accesses the device via HTTP. This allows an attacker, who can man-in-the-middle (MITM) the HTTP connection or eavesdrop on the network, to intercept the cookie and use it to impersonate the user. The root cause is a missing or incorrect configuration within the web server's cookie handling logic. Specifically, the code responsible for generating and setting the cookie headers does not include the Secure flag for cookies that contain sensitive information such as session identifiers or authentication tokens. This is a configuration flaw, not a code-level vulnerability like a buffer overflow or SQL injection.
This type of vulnerability is attractive to a wide range of attackers, from opportunistic script kiddies to sophisticated APT groups. Any actor seeking to gain unauthorized access to network devices would find this useful. It's difficult to attribute specific attacks to specific APTs without more context. This vulnerability is not known to be on the CISA KEV list, but it is a type of vulnerability that could lead to significant compromise.
Network traffic analysis: Monitor for HTTP traffic to the device, especially if HTTPS is the expected protocol. Look for session cookies being transmitted in cleartext.
IDS/IPS signatures: Implement signatures to detect the transmission of sensitive cookies over HTTP.
Web server logs: Analyze web server logs for suspicious activity, such as multiple HTTP requests from the same IP address with the same session cookie.
Forensic analysis: Examine network packet captures for cleartext cookie transmission.
Vulnerability Scanners: Run vulnerability scans to identify devices with this configuration issue.
Enable the Secure attribute: Configure the web server to always set the Secure attribute on all sensitive cookies, especially those used for authentication and session management.
Enforce HTTPS: Redirect all HTTP traffic to HTTPS. This prevents users from accidentally accessing the device over an unencrypted connection.
Implement HTTP Strict Transport Security (HSTS): Configure HSTS to instruct browsers to always use HTTPS for future connections to the device.
Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities.
Update Firmware: Apply security patches and firmware updates from the vendor to address known vulnerabilities.
Network Segmentation: Isolate the management interface of the network devices on a separate network segment to limit the impact of a compromise.