Vulnerabilities > CVE-2016-8712 - Insufficient Session Expiration vulnerability in Moxa Awk-3131A Firmware 1.1

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
moxa
CWE-613

Summary

An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds.

Vulnerable Configurations

Part Description Count
OS
Moxa
1
Hardware
Moxa
1

Common Weakness Enumeration (CWE)

Seebug

bulletinFamilyexploit
description### Summary An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds. ### Tested Versions Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1 ### Product URLs http://www.moxa.com/product/AWK-3131A.htm ### CVSSv3 Score 5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N ### Details An exploitable Nonce Resume vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds. The value of a sessions token is the result of MD5(password+webNonce). With a fixed nonce, attacks against the session token to determine valid credentials are greatly simplified as the attacker now only needs to crack MD5(password). The nonce reuse is also the basis for the way sessions are implemented: because the nonce keeps getting reused as long as the web application hasn't been idle, the session remains valid. This introduces another problem: when logging out, the cookie containing the session token is cleared, but the session does not become invalid until the timeout has occured. This allows attackers who have been able to gain access to a session token to use it to log in even if the user has explicitly logged out. They can also keep this session token valid permanentely by ensuring that the web application never goes idle, which prevents the nonce from changing. ### Exploit Proof-of-Concept The below script will grab a nonce once every 250 seconds, just under the 300 second time-out period. This will prevent the nonce from changing. ``` #!/usr/bin/python import urllib2 import time while True: nonce = urllib2.urlopen("http://<Device IP>/webNonce?time=").read() time.sleep(250) ``` ### Mitigation To significantly mitigate risk of exploitation, disable the web application before the device is deployed. ### Timeline * 2016-11-14 - Vendor Disclosure * 2017-04-10 - Public Release ### CREDIT * Discovered by Patrick DeSantis of Cisco Talos.
idSSV:96535
last seen2017-11-19
modified2017-09-19
published2017-09-19
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-96535
titleMoxa AWK-3131A Web Application Nonce Reuse Vulnerability(CVE-2016-8712)

Talos

idTALOS-2016-0225
last seen2019-05-29
published2017-04-10
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0225
titleMoxa AWK-3131A Web Application Nonce Reuse Vulnerability