CVE-2020-10714: WildFly-elytron: session fixation when using FORM authentication
Virsec Security Research Lab Vulnerability Report
The Virsec Security Research Lab, helmed by Virsec CTO, Satya Gupta, provides timely, relevant analysis about prevalent security vulnerabilities.
1.1 Vulnerability Summary
A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. This attack is dependent on the attacker being able to create a session and the victim accessing the session before the session expires, we do have a 15 minute session timeout by default but the attacker could also keep this alive by say sending in a request every five minutes. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base Score is 7.5 (High)
1.3 Affected Version
WildFly Elytron version 1.11.3.Final and prior.
1.4 Vulnerability Attribution
This vulnerability was discovered and reported as a bug by Ted (Jong Seok) Won, who is a Senior Software Engineer at Red Hat.
1.5 Risk Impact
There is no known public exploit currently. The WildFly Elytron project is a new security framework brought to WildFly to provide a single unified security framework across the whole of the application server. Elytron security framework ships with WildFly and Red Hat JBoss Enterprise Application Platform (EAP). WildFLy is been used in many industries like Aerospace & Defense, Telephony & Wireless, Healthcare, etc as per HG_Insights.
At a minimum, a successfully exploited Session Fixation could lead to a loss of privacy allowing the attacker to obtain sensitive information entered into the application by the victim. In a more serious case, it could lead to the takeover of the victim’s account if the attacker is able to authenticate with the application using the stolen Session ID. If administrator accounts are compromised using this vulnerability, the attack could be used to make other attacks possible, such as altering the configuration of the application or extracting data from backend databases. The organization is likely to suffer damage to their reputation and lose the trust of users who have had their accounts compromised by the attack.
1.6 Virsec Security Platform (VSP) Support:
VSP-Web capability can detect session fixation using CSRF detection feature and prevent this attack from being exploited.
1.7 Reference Links:
Download the full vulnerability report to learn more about this and other important vulnerabilities.
The post CVE-2020-10714: WildFly-elytron: session fixation when using FORM authentication appeared first on Virsec Systems.
*** This is a Security Bloggers Network syndicated blog from Blog – Virsec Systems authored by Satya Gupta. Read the original post at: https://virsec.com/cve-2020-10714-wildfly-elytron-session-fixation-when-using-form-authentication/
