Session Fixation and Insufficient Session Expiration

Vulnerability

CVE-2021-46279 describes session fixation and insufficient session expiration vulnerabilities in the web application of Lanner Inc IAC-AST2500A BMC standard firmware version 1.10.0 [1][2]. The BMC’s web interface does not properly regenerate session identifiers upon user authentication, nor does it enforce a reasonable session timeout, making it possible for an attacker to fixate or reuse a valid session token [1].

Exploitation

An unauthenticated remote attacker must first induce a legitimate user to authenticate with a session token controlled by the attacker (session fixation) or capture a valid session token from an existing session. The attack requires user interaction (e.g., clicking a crafted link) and a race-like window where the attacker can inject the predetermined session ID before the user logs in [1][2]. Once the victim authenticates with the attacker-supplied token, the session remains valid indefinitely due to insufficient expiration controls [2].

Impact

A successful attack allows the attacker to impersonate the victim and access the BMC web application with the victim’s privileges, leading to potential information disclosure and low-integrity modifications of BMC settings [1][2]. The CVSS v3.1 score is 5.8 (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L) [2].

Mitigation

Lanner has released updated BMC firmware versions that fix the issue; affected users should contact Lanner technical support to obtain the patched firmware [1][2]. No workaround or mitigation is documented for unpatched installations [1][2].