Researchers uncover critical security vulnerability in ISPsystem
- The vulnerability in ISPsystem’s products could have allowed attackers to hijack web sessions of users, compromise their sites, virtual machines and steal their data.
- The products affected by this flaw are ISPmanager, BILLmanager, DCImanager, VMmanager, DNSmanager, IPmanager and COREmanager.
ISPsystem, a software for managing websites and servers, was found to have a serious security vulnerability. CheckPoint’s Aliaksandr Chailytko and Alexey Bukheyev discovered this hole in the software. The flaw could have allowed attackers to take over users’ websites, servers, billing data, and so on.
What led to the vulnerability?
- After authenticating a user, session cookies in ISPsystem had a HEX encoded string of 6 bytes. The researchers indicate that attackers only had to pick a correct 6-byte value to hijack another user’s valid session.
- This could be done with a session cookie generator algorithm that would determine what is known as ‘seed value’. This can help attackers to tag sessions of users who login subsequently.
- The researchers also chart out a possible attack scenario, as well as demonstrate a proof-of-concept to exploit the vulnerability.
All in a matter of minutes
In the attack scenario, Chailytko and Bukheyev emphasize how attackers could exploit the unnamed vulnerability conveniently. “...seed lookup by the 6-bytes sequence takes at most about 20 minutes on a 16-core CPU, and this operation can easily be scaled to achieve any required speed. You can also pre-generate all 232 sequences and store them in a database. It requires about 1.5 TB of space to store all the generated data. After acquiring the seed and the sequence of bytes, all 6-byte sub-sequences should be applied as the possible session cookie,” they told.
However, the vulnerability has been fixed by ISPsystem in the version 5.178.2.