CVE-2018-1626

Vulnerability

IBM Security Privileged Identity Manager Virtual Appliance version 2.2.1 does not renew a session variable after a successful authentication. This flaw allows an attacker to fixate a session identifier known to them, potentially leading to session hijacking [1]. The vulnerability is tracked in IBM X-Force ID 144411 and the official description confirms the session variable issue.

Exploitation

An attacker can force a user to utilize a pre-set cookie that is known to the attacker. The attacker would need to somehow deliver this cookie to the victim (e.g., via a crafted link or by intercepting an unencrypted session). Once the victim authenticates using that fixed session, the attacker can hijack the authenticated session by using the same cookie [1]. No special network position other than being able to influence the user's session token is required.

Impact

Successful exploitation allows the attacker to hijack an authenticated user session, gaining unauthorized access to the Privileged Identity Manager Appliance with the victim's privileges. This can lead to disclosure of sensitive information, unauthorized configuration changes, or further compromise depending on the victim's role [1].

Mitigation

IBM has released a fix as part of the Security Bulletin referenced in the advisory. Users should upgrade to a version that includes the fix, as specified in IBM's documentation at the provided URL [1]. If upgrading is not immediately possible, administrators should enforce HTTPS, implement proper session management controls, and educate users about session fixation risks. No KEV listing for this CVE is noted.