CVE-2021-41553 in Web Centralinfo

Summary

by MITRE • 10/05/2021

** UNSUPPORTED WHEN ASSIGNED ** In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore possible to access the application through a user whose credentials were not known, without any attempt by the testers to modify the application logic. It is also possible to set the value of the session token, client-side, simply by making an unauthenticated GET Request to the Home Page and adding an arbitrary value to the JSESSIONID field. The application, following the login, does not assign a new token, continuing to keep the inserted one, as the identifier of the entire session. This is fixed in all recent versions, such as version 26. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 08/04/2024

The vulnerability described in CVE-2021-41553 represents a critical session management flaw in ARCHIBUS Web Central 21.3.3.815, a web application that has been officially deprecated since 2020. This issue falls under the category of session hijacking and weak session management as classified by CWE-613 and CWE-306. The vulnerability stems from the application's failure to properly generate and validate session tokens during the authentication process, creating a scenario where session tokens can be reused across different user contexts without proper validation mechanisms. The flaw exists in the /archibus/login.axvw endpoint where the application assigns session tokens that may already be in use by other users, fundamentally undermining the principle of user isolation and session security.

The technical implementation of this vulnerability allows attackers to exploit the lack of proper session token generation by making an unauthenticated GET request to the home page and manipulating the JSESSIONID parameter. This client-side manipulation capability directly violates the fundamental security principle that session identifiers should be randomly generated and cryptographically secure. The application's failure to invalidate or replace the existing session token upon successful login creates a persistent security risk where an attacker can maintain access to another user's session simply by knowing or guessing a valid session identifier. This behavior aligns with ATT&CK technique T1563.002 which describes credentials from password reuse and T1562.001 which covers defense evasion through session management manipulation.

The operational impact of this vulnerability extends beyond simple unauthorized access to potentially enabling privilege escalation and data breaches within the ARCHIBUS environment. Since the application handles sensitive facility management data, unauthorized access to user sessions could result in comprehensive system compromise including access to building management records, user credentials, and operational data. The vulnerability's persistence is particularly concerning as it allows attackers to maintain long-term access without detection, as the application continues to use the manipulated session token throughout the entire session lifecycle. This flaw represents a classic example of how deprecated software versions can harbor critical security vulnerabilities that remain unpatched and exploitable for extended periods.

The mitigation strategy for this vulnerability requires immediate discontinuation of the unsupported ARCHIBUS Web Central 21.3.3.815 version and migration to supported releases such as version 26. Organizations should implement comprehensive patch management policies specifically targeting deprecated software components that continue to operate in production environments. The fix implemented in newer versions addresses the core session management issue by ensuring proper token generation and validation, implementing session isolation mechanisms, and enforcing secure session handling practices. Additionally, security teams should conduct thorough audits of legacy systems to identify other unsupported software components that may present similar vulnerabilities, as the extended support period for deprecated software creates persistent attack surfaces that are often overlooked in security assessments.

Reservation

09/22/2021

Disclosure

10/05/2021

Moderation

accepted

CPE

ready

EPSS

0.01203

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!