CVE-2018-11741
published 2018-12-26CVE-2018-11741: NEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable Session IDs that result in Account Information Disclosure via Home.htm?sessionId=#####&GOTO(8) URIs.
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.89%
96.8th percentile
NEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable Session IDs that result in Account Information Disclosure via Home.htm?sessionId=#####&GOTO(8) URIs.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nec | univerge_sv9100_webpro_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect sequential/brute-force HTTP GET requests to /Home.htm with incrementing sessionId query parameters and the GOTO(8) directive, indicative of session enumeration against NEC Univerge Sv9100 WebPro. ↗
- →Alert on HTTP requests containing the URI pattern '/Home.htm?sessionId=' combined with '&GOTO(8)' — this specific parameter combination is the exploit trigger for dumping all user accounts and cleartext passwords. ↗
- →Identify NEC Univerge WebPro servers exposed to the internet by hunting for the 'Server: Henry' HTTP response header (Shodan query: 'Server Henry'), which returned 7,797 public-facing results as of Dec 1, 2018. ↗
- →The exploit probes for the string 'WebPro' in the HTTP response body to fingerprint the vulnerable application before launching session enumeration; monitor for repeated requests to '/' followed by rapid sequential sessionId enumeration on port 80. ↗
- →Session IDs are enumerated in the numeric range 1000–15000; a high volume of GET requests to /Home.htm with sequentially incrementing sessionId values in this range from a single source IP is a strong indicator of exploitation. ↗
- →Successful exploitation is confirmed by the presence of the string 'Programming Password Setup' in the HTTP response body, indicating the attacker has hit a live session and retrieved account credentials. ↗
- ·The vulnerable session ID space is numeric and small (observed range 1000–15000), meaning brute-force enumeration is trivially fast over an unauthenticated HTTP connection on port 80. No authentication or rate-limiting is enforced by the device. ↗
- ·Passwords are stored and transmitted in cleartext within the Web UI (CVE-2018-11742 companion issue), meaning a successful session hijack via CVE-2018-11741 immediately yields plaintext credentials with no further decryption required. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txthttp://packetstormsecurity.com/files/150610/NEC-Univerge-Sv9100-WebPro-6.00.00-Predictable-Session-ID-Cleartext-Passwords.htmlhttp://seclists.org/fulldisclosure/2018/Dec/1https://www.exploit-db.com/exploits/45942/http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txthttp://packetstormsecurity.com/files/150610/NEC-Univerge-Sv9100-WebPro-6.00.00-Predictable-Session-ID-Cleartext-Passwords.htmlhttp://seclists.org/fulldisclosure/2018/Dec/1https://www.exploit-db.com/exploits/45942/
2018-12-26
Published