CVE-2016-0353

Vulnerability

IBM Security Privileged Identity Manager (ISPIM) 2.0 before version 2.0.2 FP8, when deployed as a Virtual Appliance, does not set the Secure flag for the session cookie when transmitted over an HTTPS session [1]. This means the cookie can be transmitted over unencrypted HTTP connections as well. The affected product is IBM Security Privileged Identity Manager Virtual Appliance versions up to and including 2.0.2 FP7.

Exploitation

An attacker who can intercept network traffic between the user's browser and the ISPIM Virtual Appliance can capture the session cookie if the cookie is ever transmitted over an HTTP session [1]. This requires the attacker to be positioned on the network path (e.g., on a shared network or via a Man-in-the-Middle attack) and to have the ability to monitor HTTP traffic. No authentication is required to perform the interception. The attack does not require any special user interaction beyond the user accessing the application.

Impact

Successful exploitation allows the attacker to obtain the unsecured session cookie, which can then be used to impersonate the victim's authenticated session [1]. This could lead to unauthorized access to the victim's account and the privileged identity management environment, potentially exposing sensitive information or allowing further actions within the scope of the compromised session. The CVSS v3 base score is 3.7 (Low), indicating limited confidentiality impact due to the need for network access and specific conditions.

Mitigation

IBM addressed this vulnerability in IBM Security Privileged Identity Manager version 2.0.2 FP8 [1]. Users should upgrade to version 2.0.2 FP8 or later to ensure the session cookie is marked with the Secure flag. There is no known workaround for earlier versions. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.