CVE-2018-12520
published 2018-07-05CVE-2018-12520: An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG involved in the generation of session IDs is not seeded at program startup. This results in…
PriorityP358high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
10.67%
95.2th percentile
An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG involved in the generation of session IDs is not seeded at program startup. This results in deterministic session IDs being allocated for active user sessions. An attacker with foreknowledge of the operating system and standard library in use by the host running the service and the username of the user whose session they're targeting can abuse the deterministic random number generation in order to hijack the user's session, thus escalating their access.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ntop | ntopng | >= 0 < 2.2+dfsg1-1ubuntu0.1~esm2 | 2.2+dfsg1-1ubuntu0.1~esm2 |
| ntop | ntopng | >= 0 < 3.2+dfsg1-1ubuntu0.1~esm2 | 3.2+dfsg1-1ubuntu0.1~esm2 |
| ntop | ntopng | >= 3.4 < 3.4.180617 | 3.4.180617 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mx87-47cg-9wpg: An issue was discovered in ntopng 3
ghsa_unreviewed·2022-05-13
CVE-2018-12520 [HIGH] CWE-335 GHSA-mx87-47cg-9wpg: An issue was discovered in ntopng 3
An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG involved in the generation of session IDs is not seeded at program startup. This results in deterministic session IDs being allocated for active user sessions. An attacker with foreknowledge of the operating system and standard library in use by the host running the service and the username of the user whose session they're targeting can abuse the deterministic random number generation in order to hijack the user's session, thus escalating their access.
OSV
CVE-2018-12520: An issue was discovered in ntopng 3
osv·2018-07-05·CVSS 8.1
CVE-2018-12520 [HIGH] CVE-2018-12520: An issue was discovered in ntopng 3
An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG involved in the generation of session IDs is not seeded at program startup. This results in deterministic session IDs being allocated for active user sessions. An attacker with foreknowledge of the operating system and standard library in use by the host running the service and the username of the user whose session they're targeting can abuse the deterministic random number generation in order to hijack the user's session, thus escalating their access.
Ubuntu
ntopng vulnerability
vendor_ubuntu·2021-03-15
CVE-2018-12520 ntopng vulnerability
Title: ntopng vulnerability
Summary: ntopng could be made to allow unintended access
It was discovered that ntopng did not properly seed its random number
generator, leading to predictable session tokens. An attacker could use
this vulnerability to hijack a user's session.
Instructions: In general, a standard system update will make all the necessary changes.
Suricata
ET SCAN ntop-ng Authentication Bypass via Session ID Guessing
suricata·2018-07-03
CVE-2018-12520 ET SCAN ntop-ng Authentication Bypass via Session ID Guessing
ET SCAN ntop-ng Authentication Bypass via Session ID Guessing
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ntop-ng Authentication Bypass via Session ID Guessing"; flow:established,to_server; threshold: type threshold, track by_dst, count 255, seconds 10; http.uri; content:"/lua/network_load.lua"; fast_pattern; http.cookie; content:"session="; content:"user="; reference:cve,2018-12520; reference:url,exploit-db.com/exploits/44973/; classtype:attempted-recon; sid:2025780; rev:5; metadata:created_at 2018_07_03, cve CVE_2018_12520, deployment Perimeter, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_te
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2018/Jul/14https://gist.github.com/Psychotropos/3e8c047cada9b1fb716e6a014a428b7fhttps://github.com/ntop/ntopng/commit/30610bda60cbfc058f90a1c0a17d0e8f4516221ahttps://www.exploit-db.com/exploits/44973/http://seclists.org/fulldisclosure/2018/Jul/14https://gist.github.com/Psychotropos/3e8c047cada9b1fb716e6a014a428b7fhttps://github.com/ntop/ntopng/commit/30610bda60cbfc058f90a1c0a17d0e8f4516221ahttps://www.exploit-db.com/exploits/44973/
2018-07-05
Published