<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Rack-Session - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/rack-session/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/rack-session/feed.xml" rel="self" type="application/rss+xml"/><item><title>Rack::Session::Cookie Vulnerability Enables Secretless Session Forgery</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-rack-session-cookie-deserialization/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-rack-session-cookie-deserialization/</guid><description>Rack::Session::Cookie incorrectly handles decryption failures, falling back to a default decoder and allowing attackers to forge session cookies without knowing the secret, potentially leading to authentication bypass or privilege escalation in vulnerable Rack applications.</description><content:encoded><![CDATA[<p>The <code>Rack::Session::Cookie</code> gem, versions 2.0.0 to before 2.1.2, contains a critical vulnerability where decryption failures are mishandled. When configured with the <code>secrets:</code> option, the system should decrypt incoming session cookies. However, if decryption fails, instead of rejecting the cookie, it falls back to a default decoder. This allows an unauthenticated attacker to craft a session cookie that the application accepts as valid, even without knowing the encryption secret. This behavior bypasses intended integrity protections and exposes applications to unauthorized access by allowing manipulation of session contents. Rails applications are typically not affected as they use <code>ActionDispatch::Session::CookieStore</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a Rack application using <code>Rack::Session::Cookie</code> with the <code>secrets:</code> option.</li>
<li>The attacker crafts a malicious session cookie payload.</li>
<li>The attacker sends an HTTP request to the application with the crafted session cookie.</li>
<li>The application attempts to decrypt the cookie using configured secrets, but decryption fails.</li>
<li>Instead of rejecting the cookie, <code>Rack::Session::Cookie</code> falls back to a default decoder.</li>
<li>The application deserializes the attacker-controlled cookie data, treating it as trusted session state.</li>
<li>The attacker manipulates session contents (e.g., user ID, roles, permissions).</li>
<li>The attacker gains unauthorized access or elevates privileges based on the manipulated session data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Any Rack application using a vulnerable version of <code>Rack::Session::Cookie</code> with the <code>secrets:</code> option is susceptible. Exploitation can lead to authentication bypass, privilege escalation, and potentially other risks depending on the specific application logic. An attacker can supply a crafted session cookie that is accepted as valid session data, potentially leading to unauthorized actions being performed with the privileges of a legitimate user. The number of victims depends on the popularity and exposure of vulnerable Rack applications.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to <code>rack-session</code> version 2.1.2 or later to remediate CVE-2026-39324 and ensure proper cookie decryption failure handling.</li>
<li>Rotate session secrets after upgrading <code>rack-session</code> to invalidate existing session cookies that may have been forged by attackers.</li>
<li>Monitor web server logs (category: webserver, product: linux/windows) for suspicious HTTP requests containing unusually long or malformed session cookies, indicating potential exploitation attempts.</li>
<li>Deploy the Sigma rule &quot;Detect Suspicious Rack Session Cookie Manipulation&quot; to identify potential exploitation attempts based on HTTP request patterns.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>rack</category><category>session</category><category>cookie</category><category>deserialization</category><category>vulnerability</category><category>privilege-escalation</category></item></channel></rss>