CVE-2024-47945

Predictable Session ID

CVSS 9.1 CRITICALEPSS 0.9%CWE-340

In short

The devices generate predictable session IDs that attackers can guess, allowing them to take over user sessions without knowing the password. With only 32,768 possible IDs per user, an attacker can try them all and gain unauthorized access.

Technical detail

The session ID generation uses an unseeded rand() function that relies solely on process IDs for entropy, resulting in only 32,768 possible values per user. An attacker can pre-compute valid session IDs and perform session hijacking to access authenticated user sessions without credentials.

Summary generated and translated by AI from the official description.

The devices are vulnerable to session hijacking due to insufficient entropy in its session ID generation algorithm. The session IDs are predictable, with only 32,768 possible values per user, which allows attackers to pre-generate valid session IDs, leading to unauthorized access to user sessions. This is not only due to the use of an (insecure) rand() function call but also because of missing initialization via srand(). As a result only the PIDs are effectively used as seed.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

RITTAL GmbH & Co. KG · IoT Interface & CMC III Processing Unit

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://seclists.org/fulldisclosure/2024/Oct/4 https://r.sec-consult.com/rittaliot https://www.rittal.com/de-de/products/deep/3124300