CVE-2019-14480

Vulnerability

The AdRem NetCrunch web client in version 10.6.0.4587 suffers from improper session handling. Session tokens are stored in the browser's local storage without the HttpOnly or Secure flags, making them accessible to client-side scripts and transmitted over unencrypted HTTP connections. This design flaw enables an attacker to steal valid session tokens [1].

Exploitation

An attacker with network access to the NetCrunch web client can exploit this vulnerability by performing a cross-site scripting (XSS) attack or by intercepting unencrypted traffic to capture session tokens. Alternatively, if the attacker can trick an authenticated user into visiting a malicious page, they can read the local storage and exfiltrate the token. No additional authentication or user interaction beyond the victim's active session is required [1].

Impact

Successful token theft allows the attacker to impersonate the victim user, gaining unauthorized access to the NetCrunch web client. This can lead to authentication bypass or privilege escalation, potentially exposing sensitive monitoring data, stored credentials, and the ability to modify monitoring configurations [1].

Mitigation

AdRem released version 11.0.0.5282 which mitigates the issue by setting the HttpOnly and Secure flags on session cookies and no longer storing tokens in local storage. Users should upgrade to this version or later. No workaround is available for the vulnerable version. Older versions are believed to be affected as well [1].