{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/openmage/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["magento-lts (\u003c= 20.16.0)"],"_cs_severities":["critical"],"_cs_tags":["session hijacking","API vulnerability","brute-force attack"],"_cs_type":"advisory","_cs_vendors":["OpenMage"],"content_html":"\u003cp\u003eOpenMage LTS, a fork of Magento, is vulnerable to session hijacking due to its insecure method of generating API session IDs. Specifically, versions 20.16.0 and earlier generate session IDs using an MD5 hash of time-derived inputs (timestamp, microsecond, and LCG state), rather than a cryptographically secure random number generator. This vulnerability exists in the \u003ccode\u003eMage_Api_Model_Session.php\u003c/code\u003e file within the \u003ccode\u003estart()\u003c/code\u003e method.  The lack of sufficient entropy in the session ID makes it predictable and susceptible to brute-force attacks, especially given the absence of API rate limiting. An attacker can exploit this vulnerability to gain unauthorized access to user accounts and perform malicious actions. This vulnerability affects all legacy API surfaces including XML-RPC, SOAP v1, SOAP v2, and legacy REST APIs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker observes a victim authenticating to the \u003ccode\u003e/api/xmlrpc/\u003c/code\u003e endpoint, capturing the Unix timestamp of the login event via network timing or exposed logs.\u003c/li\u003e\n\u003cli\u003eThe attacker estimates the microsecond portion of the timestamp based on observed network latency or other side-channel information.\u003c/li\u003e\n\u003cli\u003eThe attacker reconstructs the MD5 hash format using the known timestamp and the estimated microsecond window.\u003c/li\u003e\n\u003cli\u003eThe attacker bounds the LCG float component based on server PID ranges (if known or leaked via \u003ccode\u003e/server-status\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker generates a candidate pool of MD5 hashes based on the reconstructed format and LCG variations.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a series of crafted HTTP POST requests to the \u003ccode\u003e/api/xmlrpc/\u003c/code\u003e endpoint, each containing a different candidate session ID within the \u003ccode\u003e\u0026lt;methodCall\u0026gt;\u0026lt;params\u0026gt;\u0026lt;param\u0026gt;\u0026lt;value\u0026gt;\u0026lt;string\u0026gt;{CANDIDATE_SESSION_ID}\u0026lt;/string\u0026gt;\u0026lt;/value\u0026gt;\u0026lt;/param\u0026gt;\u0026lt;/params\u0026gt;\u0026lt;/methodCall\u0026gt;\u003c/code\u003e XML structure.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the HTTP responses for a non-fault response (HTTP 200 containing data), indicating a successful session hijack.\u003c/li\u003e\n\u003cli\u003eUpon successful hijack, the attacker uses the valid session ID to access privileged API endpoints, such as those for managing product catalogs, customer data, or orders, to perform malicious actions such as data exfiltration, order fraud, or inventory manipulation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to hijack active API sessions, granting them full control over the compromised account.  This can lead to data exfiltration of customer PII, order history, and payment methods. Attackers can also manipulate orders by creating, canceling, or changing shipping addresses. Further, they can modify prices, inject malicious products, or zero out stock, leading to significant financial and operational damage. This vulnerability affects all legacy API protocols, including XML-RPC, SOAP v1, SOAP v2, and REST APIs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch to replace the time-derived token with a cryptographically secure random value, as described in the advisory by updating \u003ccode\u003eapp/code/core/Mage/Api/Model/Session.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on API endpoints like \u003ccode\u003e/api/xmlrpc/\u003c/code\u003e to prevent high-speed online brute-force attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to the \u003ccode\u003e/api/xmlrpc/\u003c/code\u003e, \u003ccode\u003e/api/soap/\u003c/code\u003e, \u003ccode\u003e/api/v2_soap/\u003c/code\u003e, and \u003ccode\u003e/api/rest/\u003c/code\u003e endpoints using the Sigma rule provided to detect potential session hijacking attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-openmage-session-hijacking/","summary":"OpenMage LTS version 20.16.0 and earlier has a critical vulnerability in the XML-RPC/SOAP API session ID generation, which uses a predictable MD5 hash of time-derived inputs, allowing attackers to brute-force and hijack active API sessions for data exfiltration, order fraud, and supply chain manipulation.","title":"OpenMage LTS Weak API Session ID Vulnerability Leads to Session Hijacking","url":"https://feed.craftedsignal.io/briefs/2024-01-openmage-session-hijacking/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenMage","version":"https://jsonfeed.org/version/1.1"}