Reprise License Manager version 14.2 suffers from an unauthenticated session hijacking vulnerability via brute forcing. The vendor has contacted Packet Storm to note that in v15.1 they fixed this issue by updating the session cookie size to 40 bytes, from the previous 4 bytes on Windows and 8 bytes on Linux.
908696ef80c1b6e9be550123ff1923741a359a0f31aaf0e10ba48e8fb8ab37a2
# Product: Reprise License Manager 14.2
# Vendor: Reprise Software
# CVE ID: CVE-2021-44151
# Vulnerability Title: Unauthenticated Session Hijacking
# Severity: Medium/High
# Author(s): Mark Staal Steenberg, Bilal El Ghoul, Gionathan Armando Reale, Andreas Fyhn Andersen, Oliver Lind Nordestgaard
# Date: 2021-11-25
#############################################################
Introduction:
As the session cookies are short and simple, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the Windows version (the Linux version appears to have 8 characters). An attacker can obtain the static part of the cookie (cookie name) by first making a request to any page on the application (e.g.,/goforms/menu) and saving the name of the cookie sent with the response.
The attacker can then use the name of the cookie and try to request that same page, setting a random value for the cookie. If any user has an active session, the page should return with the authorized content, when a valid cookie value is hit.
Vulnerability:
Due to the session cookies being rather simple and predictable, a single session, can be brute forced in less than 3 minutes, on a laptop, and can therefore be considered very insecure.
Recommendation:
It is recommended to follow industry standards and use secure randomized complex session cookies which expire when not in use or the user de-authenticates.