|
| 1 | +--- |
| 2 | +layout: advisory |
| 3 | +title: 'CVE-2024-56733 (pwpush): Password Pusher Allows Session Token Interception |
| 4 | + Leading to Potential Hijacking' |
| 5 | +comments: false |
| 6 | +categories: |
| 7 | +- pwpush |
| 8 | +advisory: |
| 9 | + gem: pwpush |
| 10 | + cve: 2024-56733 |
| 11 | + ghsa: 4fwj-m62q-pp47 |
| 12 | + url: https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-4fwj-m62q-pp47 |
| 13 | + title: Password Pusher Allows Session Token Interception Leading to Potential Hijacking |
| 14 | + date: 2024-12-30 |
| 15 | + description: | |
| 16 | + ### Impact |
| 17 | +
|
| 18 | + A vulnerability has been reported in Password Pusher where an |
| 19 | + attacker can copy the session cookie before a user logs out, |
| 20 | + potentially allowing session hijacking. |
| 21 | +
|
| 22 | + Although the session token is replaced and invalidated upon logout, |
| 23 | + if an attacker manages to capture the session cookie before this |
| 24 | + process, they can use the token to gain unauthorized access to the |
| 25 | + user's session until the token expires or is manually cleared. |
| 26 | +
|
| 27 | + This vulnerability hinges on the attacker's ability to access the |
| 28 | + session cookie during an active session, either through a |
| 29 | + man-in-the-middle attack, by exploiting another vulnerability like |
| 30 | + XSS, or via direct access to the victim's device. |
| 31 | +
|
| 32 | + ### Patches |
| 33 | +
|
| 34 | + Although there is no direct resolution to this vulnerability, it is |
| 35 | + recommended to always use the latest version of Password Pusher to |
| 36 | + best mitigate risk. |
| 37 | +
|
| 38 | + ### Workarounds |
| 39 | +
|
| 40 | + If self-hosting, ensure Password Pusher is hosted exclusively over |
| 41 | + SSL connections to encrypt traffic and prevent session cookies from |
| 42 | + being intercepted in transit. Additionally, implement best practices |
| 43 | + in local security to safeguard user systems, browsers, and data |
| 44 | + against unauthorized access. |
| 45 | +
|
| 46 | + To further mitigate session hijacking risks, Password Pusher |
| 47 | + implements the following security measures: |
| 48 | +
|
| 49 | + 1. **Automatic Session Expiration**: Sessions are automatically |
| 50 | + expired after 2 hours of inactivity, reducing the window for |
| 51 | + potential exploitation. |
| 52 | +
|
| 53 | + 2. **Session Reset on Login and Logout**: Sessions are fully reset |
| 54 | + both when a user logs in and logs out, ensuring that session |
| 55 | + tokens are not reusable post-logout. This practice invalidates |
| 56 | + old session tokens and issues new ones, minimizing the risk of |
| 57 | + session hijacking. |
| 58 | +
|
| 59 | + 3. **Encrypted Cookies**: Cookies are encrypted using the value of |
| 60 | + SECRET_KEY_BASE from the application's configuration. This |
| 61 | + encryption adds a layer of protection against tampering or reading |
| 62 | + the session cookie's contents if intercepted, although it doesn't |
| 63 | + prevent the cookie from being used if stolen. |
| 64 | +
|
| 65 | + **Note**: While these measures significantly enhance security, they |
| 66 | + are part of a broader security strategy. |
| 67 | +
|
| 68 | + ### References |
| 69 | +
|
| 70 | + * https://edgeguides.rubyonrails.org/security.html#session-hijacking |
| 71 | +
|
| 72 | + ### Credits |
| 73 | +
|
| 74 | + Thank you to [Positive Technologies](https://www.ptsecurity.com/ww-en/) |
| 75 | + for reporting and working with me to bring this CVE to the community. |
| 76 | + cvss_v3: 5.7 |
| 77 | + related: |
| 78 | + url: |
| 79 | + - https://nvd.nist.gov/vuln/detail/CVE-2024-56733 |
| 80 | + - https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-4fwj-m62q-pp47 |
| 81 | + - https://github.com/advisories/GHSA-4fwj-m62q-pp47 |
| 82 | +--- |
0 commit comments