CVE-2016-0353 in Security Privileged Identity Manager
Summary
by MITRE
IBM Security Privileged Identity Manager 2.0 before 2.0.2 FP8, when Virtual Appliance is used, does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/08/2019
IBM Security Privileged Identity Manager version 2.0 before 2.0.2 FP8 contains a critical security flaw in its virtual appliance implementation that compromises session cookie security through improper configuration of the secure flag. This vulnerability affects the authentication mechanism by failing to properly enforce the secure flag on session cookies when HTTPS is utilized, creating a significant attack surface that exposes users to session hijacking attempts. The flaw specifically manifests when the virtual appliance is deployed, where session cookies are transmitted without the secure flag, allowing attackers to intercept and potentially exploit these cookies during man-in-the-middle attacks or network eavesdropping scenarios.
The technical implementation error stems from the application's failure to properly configure HTTP response headers for session management. When a user authenticates to the IBM Security Privileged Identity Manager through the virtual appliance, the system generates session cookies that should be marked with the secure flag to ensure transmission only over encrypted channels. However, due to this configuration oversight, the secure flag is omitted from the session cookie headers, making it possible for attackers to capture these cookies during unencrypted HTTP sessions or when transitioning between HTTP and HTTPS protocols. This misconfiguration directly violates security best practices for session management and creates an exploitable condition that undermines the integrity of the authentication process.
The operational impact of this vulnerability extends beyond simple credential theft, as it enables attackers to impersonate legitimate users within the privileged identity management system. When attackers successfully intercept session cookies without the secure flag, they can establish unauthorized access to privileged accounts and potentially escalate their privileges within the organization's security infrastructure. This vulnerability particularly affects environments where the virtual appliance is deployed in mixed protocol environments or where network traffic is not properly secured between the client and server components. The attack vector is significantly amplified when attackers can manipulate network traffic or when the system does not enforce strict HTTPS-only communication policies, allowing for cookie interception during protocol transitions or when HTTP fallback mechanisms are present.
Organizations implementing IBM Security Privileged Identity Manager must address this vulnerability through immediate patching to version 2.0.2 FP8 or later, which properly configures the secure flag for session cookies. Security configurations should also include enforcement of strict HTTPS-only communication policies to prevent protocol downgrade attacks that could exploit this weakness. The vulnerability aligns with CWE-614, which addresses the improper storage of sensitive information in cookies, and represents a clear violation of the principle of least privilege in session management. From an ATT&CK framework perspective, this vulnerability maps to T1566.001 (Phishing: Spearphishing Attachment) and T1071.005 (Application Layer Protocol: Web Protocols) as attackers can leverage intercepted session cookies to maintain persistent access to privileged accounts. Organizations should also implement network monitoring to detect potential cookie interception attempts and consider additional authentication mechanisms such as multi-factor authentication to provide defense-in-depth against session hijacking attacks that could exploit this vulnerability.