CVE Vulnerabilities

CVE-2024-22318

Session Fixation

Published: Feb 09, 2024 | Modified: Feb 16, 2024
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

IBM i Access Client Solutions (ACS) 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.4 is vulnerable to NT LAN Manager (NTLM) hash disclosure by an attacker modifying UNC capable paths within ACS configuration files to point to a hostile server. If NTLM is enabled, the Windows operating system will try to authenticate using the current users session. The hostile server could capture the NTLM hash information to obtain the users credentials. IBM X-Force ID: 279091.

Weakness

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Affected Software

Name Vendor Start Version End Version
I_access_client_solutions Ibm 1.1.2 1.1.4
I_access_client_solutions Ibm 1.1.4.3 1.1.9.4

Extended Description

Such a scenario is commonly observed when:

Potential Mitigations

References