Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:96535
HistorySep 19, 2017 - 12:00 a.m.

Moxa AWK-3131A Web Application Nonce Reuse Vulnerability(CVE-2016-8712)

2017-09-1900:00:00
Root
www.seebug.org
32

0.005 Low

EPSS

Percentile

75.7%

JSON

Summary

An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds.

Tested Versions

Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1

Product URLs

http://www.moxa.com/product/AWK-3131A.htm

CVSSv3 Score

5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

An exploitable Nonce Resume vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds. The value of a sessions token is the result of MD5(password+webNonce). With a fixed nonce, attacks against the session token to determine valid credentials are greatly simplified as the attacker now only needs to crack MD5(password).

The nonce reuse is also the basis for the way sessions are implemented: because the nonce keeps getting reused as long as the web application hasn’t been idle, the session remains valid. This introduces another problem: when logging out, the cookie containing the session token is cleared, but the session does not become invalid until the timeout has occured. This allows attackers who have been able to gain access to a session token to use it to log in even if the user has explicitly logged out. They can also keep this session token valid permanentely by ensuring that the web application never goes idle, which prevents the nonce from changing.

Exploit Proof-of-Concept

The below script will grab a nonce once every 250 seconds, just under the 300 second time-out period. This will prevent the nonce from changing.

#!/usr/bin/python

import urllib2
import time

while True:
    nonce = urllib2.urlopen("http://<Device IP>/webNonce?time=").read()
    time.sleep(250)

Mitigation

To significantly mitigate risk of exploitation, disable the web application before the device is deployed.

Timeline

  • 2016-11-14 - Vendor Disclosure
  • 2017-04-10 - Public Release

CREDIT

  • Discovered by Patrick DeSantis of Cisco Talos.

                                                #!/usr/bin/python

import urllib2
import time

while True:
    nonce = urllib2.urlopen("http://<Device IP>/webNonce?time=").read()
    time.sleep(250)

Related

talos 1
cvelist 1
prion 1
nvd 1
cve 1
nessus 1
talos
talos
Moxa AWK-3131A Web Application Nonce Reuse Vulnerability
2017-04-10 00:00:00
cvelist
cvelist
CVE-2016-8712
2017-04-13 19:00:00
prion
prion
Authentication flaw
2017-04-13 19:59:00
nvd
nvd
CVE-2016-8712
2017-04-13 19:59:00
cve
cve
CVE-2016-8712
2017-04-13 19:59:00
nessus
nessus
Moxa Web Application Nonce Reuse Vulnerability (CVE-2016-8712)
2023-08-02 00:00:00

0.005 Low

EPSS

Percentile

75.7%

JSON
Related for SSV:96535
talos1cvelist1prion1nvd1cve1nessus1