The built-in web servers for multiple networking devices do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the same server.
Network devices with built-in web servers are vulnerable to a cookie theft attack. This allows attackers to intercept sensitive session cookies transmitted over HTTP, potentially leading to account compromise and unauthorized access to the device's configuration and data. This vulnerability is due to a missing security flag on cookies transmitted over HTTPS.
Step 1: HTTPS Connection: The user establishes a secure HTTPS connection to the vulnerable network device's web server.
Step 2: Cookie Creation: The server generates a session cookie and sends it to the user's browser, but without the Secure attribute.
Step 3: HTTP Navigation (or Forced Downgrade): The user, or an attacker through techniques like HTTP downgrade attacks (e.g., DNS poisoning, ARP spoofing, or simply visiting an HTTP resource on the same domain), navigates to an HTTP resource on the same domain as the device (e.g., http://device.example.com).
Step 4: Cookie Transmission: The browser, lacking the Secure attribute, sends the session cookie over the unencrypted HTTP connection.
Step 5: Cookie Interception: An attacker, positioned on the same network or able to intercept the HTTP traffic, captures the session cookie.
Step 6: Session Hijacking: The attacker uses the stolen cookie to impersonate the legitimate user and gain unauthorized access to the device's web interface.
The root cause is a failure to set the Secure attribute on sensitive cookies within the HTTPS session. This attribute instructs the browser to only transmit the cookie over HTTPS. Without this attribute, the browser may send the cookie over an unencrypted HTTP connection if the user navigates to an HTTP resource on the same domain. The flaw lies in the web server's cookie handling logic, specifically the function responsible for setting cookie headers. The server fails to include the Secure flag when generating the cookie, making it vulnerable to interception. This is a simple logic error, not a complex vulnerability like a buffer overflow or race condition.