CVE-2018-10252 in WCB6200Q
Summary
by MITRE
An issue was discovered on Actiontec WCB6200Q before 1.1.10.20a devices. The admin login session cookie is insecurely generated making admin session hijacking possible. When an admin logs in, a session cookie is generated using the time of day rounded to 10ms. Since the web server returns its current time of day in responses, it is possible to step backward through possible session values until a working one is found. Once a working session ID is found, an attacker then has admin control of the device and can add a secondary SSID to create a backdoor to the network.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/05/2020
The vulnerability identified in Actiontec WCB6200Q devices prior to firmware version 1.1.10.20a represents a critical session management flaw that fundamentally compromises the security of network administration interfaces. This issue falls under the category of weak session identifier generation, where the system fails to implement cryptographically secure random number generation for administrative session cookies. The device's authentication mechanism relies on a predictable time-based approach to session cookie creation, specifically utilizing the system's current time rounded to 10-millisecond precision, which creates a severely limited entropy space for potential session identifiers.
The technical implementation of this vulnerability stems from the device's insecure session cookie generation process that directly correlates with system time values. When administrators log into the device, the session cookie is constructed using timestamp data that is inherently predictable and measurable. The web server's response headers contain time-of-day information that can be readily obtained by attackers, providing them with the necessary temporal context to perform systematic brute force attacks against session identifiers. This approach directly violates security principles outlined in CWE-1037, which addresses insufficient entropy in random number generation, and specifically relates to CWE-310, which deals with cryptographic weaknesses in session management.
The operational impact of this vulnerability extends far beyond simple unauthorized access, creating a comprehensive attack vector that allows adversaries to gain full administrative control over network infrastructure. Once an attacker successfully identifies a valid session cookie through time-based brute force techniques, they can execute privileged operations including but not limited to modifying network configurations, creating additional SSIDs, and establishing persistent backdoor access points. The ability to add secondary SSIDs directly enables attackers to create covert network access points that can be used for unauthorized network infiltration, data exfiltration, or as stepping stones for further attacks within the network. This vulnerability represents a significant risk to enterprise and home network security, as it allows attackers to maintain persistent access without requiring additional authentication credentials or exploiting other system vulnerabilities.
The attack surface and exploitation methodology for this vulnerability align with techniques described in the MITRE ATT&CK framework under the T1078 credential access and T1059 execution domains. Attackers can leverage this weakness to establish persistent access and potentially escalate privileges through network reconnaissance activities. The limited entropy space of the time-based session generation makes this vulnerability highly exploitable, as attackers can systematically iterate through possible time values to identify valid sessions. This represents a classic example of poor entropy implementation that violates fundamental security requirements for session management, as specified in NIST SP 800-63B guidelines for digital identity and authentication systems. Organizations should implement immediate mitigations including firmware updates, network segmentation, and monitoring for unauthorized administrative access attempts to protect against this specific vulnerability and similar time-based session management flaws.