CVE-2019-20047 in OmniVista 4760
Summary
by MITRE
An issue was discovered on Alcatel-Lucent OmniVista 4760 devices, and 8770 devices before 4.1.2. An incorrect web server configuration allows a remote unauthenticated attacker to retrieve the content of its own session files. Every session file contains the administrative LDAP credentials encoded in a reversible format. Sessions are stored in /sessions/sess_<sessionid>.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/18/2024
This vulnerability exists within the web server configuration of Alcatel-Lucent OmniVista 4760 and 8770 network management devices running firmware versions prior to 4.1.2. The flaw stems from improper session file handling that exposes sensitive administrative credentials to remote attackers without authentication requirements. The vulnerability specifically affects the session management component where user sessions are stored in the /sessions/ directory with filenames following the pattern sess_<sessionid>. This misconfiguration creates an information disclosure weakness that allows unauthorized access to session data containing administrative LDAP credentials.
The technical implementation of this vulnerability involves the web server's failure to properly secure session files that are stored on the filesystem. These session files contain administrative credentials encoded in a reversible format rather than being properly hashed or encrypted, which means that any remote attacker who can access the session files can directly extract the LDAP administrative username and password. The session files are accessible through the web server interface, allowing attackers to navigate to the /sessions/ directory and retrieve the session data without requiring authentication. This represents a critical flaw in the principle of least privilege and proper access control implementation.
The operational impact of this vulnerability is severe as it provides remote attackers with direct administrative access to the network management system. Once attackers obtain the LDAP credentials, they can gain full administrative control over the OmniVista devices, potentially allowing them to modify network configurations, view sensitive network data, or establish persistence within the network infrastructure. The vulnerability affects the core management capabilities of these devices, which are typically used for network monitoring and control, making the compromise of administrative credentials particularly dangerous for network security. This issue creates a persistent backdoor that can be exploited by attackers to maintain long-term access to the network management infrastructure.
The vulnerability aligns with CWE-200, Information Disclosure, and CWE-269, Improper Privilege Management, as it allows unauthorized access to administrative credentials through improper session file handling. From an ATT&CK perspective, this vulnerability maps to T1078, Valid Accounts, and T1566, Phishing, as it enables attackers to obtain legitimate administrative credentials that can be used for further network infiltration. Organizations should immediately apply the firmware update to version 4.1.2 or later to address this vulnerability. Additionally, network segmentation should be implemented to limit access to these management interfaces, and regular monitoring should be conducted to detect unauthorized access attempts. The configuration should be reviewed to ensure that session files are not accessible through the web server and that proper access controls are implemented to prevent information disclosure of administrative credentials.