Vulnerabilities > CVE-2016-8712 - Insufficient Session Expiration vulnerability in Moxa Awk-3131A Firmware 1.1
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| Hardware | 1 |
Common Weakness Enumeration (CWE)
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds. ### Tested Versions Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1 ### Product URLs http://www.moxa.com/product/AWK-3131A.htm ### CVSSv3 Score 5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N ### Details An exploitable Nonce Resume vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds. The value of a sessions token is the result of MD5(password+webNonce). With a fixed nonce, attacks against the session token to determine valid credentials are greatly simplified as the attacker now only needs to crack MD5(password). The nonce reuse is also the basis for the way sessions are implemented: because the nonce keeps getting reused as long as the web application hasn't been idle, the session remains valid. This introduces another problem: when logging out, the cookie containing the session token is cleared, but the session does not become invalid until the timeout has occured. This allows attackers who have been able to gain access to a session token to use it to log in even if the user has explicitly logged out. They can also keep this session token valid permanentely by ensuring that the web application never goes idle, which prevents the nonce from changing. ### Exploit Proof-of-Concept The below script will grab a nonce once every 250 seconds, just under the 300 second time-out period. This will prevent the nonce from changing. ``` #!/usr/bin/python import urllib2 import time while True: nonce = urllib2.urlopen("http://<Device IP>/webNonce?time=").read() time.sleep(250) ``` ### Mitigation To significantly mitigate risk of exploitation, disable the web application before the device is deployed. ### Timeline * 2016-11-14 - Vendor Disclosure * 2017-04-10 - Public Release ### CREDIT * Discovered by Patrick DeSantis of Cisco Talos. |
| id | SSV:96535 |
| last seen | 2017-11-19 |
| modified | 2017-09-19 |
| published | 2017-09-19 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-96535 |
| title | Moxa AWK-3131A Web Application Nonce Reuse Vulnerability(CVE-2016-8712) |
Talos
| id | TALOS-2016-0225 |
| last seen | 2019-05-29 |
| published | 2017-04-10 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0225 |
| title | Moxa AWK-3131A Web Application Nonce Reuse Vulnerability |