CVE-2020-29667 – CVE-2020-29667 allows remote attackers to bypas... (How to Fix)

Q: What is the severity of CVE-2020-29667?

CVE-2020-29667 has a CVSS score of 9.8 (CRITICAL). CVE-2020-29667 allows remote attackers to bypass authentication and gain control over Lan ATMService M3 ATM Monitoring System by using a default session cookie value. This affects all systems running the vulnerable software with default configurations. Attackers can achieve full system compromise without valid credentials.

📋 TL;DR

CVE-2020-29667 allows remote attackers to bypass authentication and gain control over Lan ATMService M3 ATM Monitoring System by using a default session cookie value. This affects all systems running the vulnerable software with default configurations. Attackers can achieve full system compromise without valid credentials.

💻 Affected Systems

Products:

Lan ATMService M3 ATM Monitoring System

Versions: 6.1.0

Operating Systems: Unknown - likely Windows-based given ATM monitoring context

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable in default configuration with PHPSESSID=LANIT-IMANAGER cookie.

📦 What is this software?

M3 Atm Monitoring System by Lanatmservice

View all CVEs affecting M3 Atm Monitoring System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover allowing attackers to manipulate ATM monitoring, potentially enabling ATM fraud, data theft, or service disruption.

🟠

Likely Case

Unauthorized administrative access leading to ATM monitoring manipulation, configuration changes, and potential data exfiltration.

🟢

If Mitigated

Limited impact with proper session management and network segmentation in place.

🌐 Internet-Facing: HIGH - Default cookie allows unauthenticated remote exploitation if system is internet-facing.

🏢 Internal Only: HIGH - Even internally, default cookie allows easy lateral movement and privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires only sending default cookie value; GitHub repository contains proof-of-concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://lanatmservice.ru/

Restart Required: No

Instructions:

No official patch available. Contact vendor for updated version or implement workarounds.

🔧 Temporary Workarounds

Change Default Session Cookie

all

Modify the default PHPSESSID cookie value to a strong, random value unique to each installation.

Edit PHP configuration to set session.cookie_httponly = 1
Set session.use_strict_mode = 1
Configure custom session name and secure cookie parameters

Implement Session Expiration

all

Add proper session timeout and expiration mechanisms to invalidate sessions after inactivity.

Set session.gc_maxlifetime to appropriate value (e.g., 1800)
Implement session regeneration on privilege changes

🧯 If You Can't Patch

Network segmentation: Isolate ATM monitoring system from internet and restrict internal access.
Implement WAF rules to block requests with default cookie values and monitor for session hijacking attempts.

🔍 How to Verify

Check if Vulnerable:

Send HTTP request with cookie 'PHPSESSID=LANIT-IMANAGER' to system and check if authenticated access is granted.

Check Version:

Check system interface or configuration files for version information (typically 6.1.0).

Verify Fix Applied:

Attempt same exploit with default cookie; should receive authentication error or redirect to login.

📡 Detection & Monitoring

Log Indicators:

Multiple successful logins with same session ID
Administrative actions from unexpected IP addresses
Session fixation attempts

Network Indicators:

HTTP requests containing 'PHPSESSID=LANIT-IMANAGER' cookie
Unauthenticated requests accessing privileged endpoints

SIEM Query:

source="web_logs" AND (cookie="*PHPSESSID=LANIT-IMANAGER*" OR uri="/admin/*") AND response_code=200

📊 Metadata

CVE ID: CVE-2020-29667

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-613

Published: December 10, 2020

Last Updated: November 21, 2024

🔗 References

http://lanatmservice.ru/ Vendor Advisory
https://github.com/jet-pentest/CVE-2020-29667 Third Party Advisory
http://lanatmservice.ru/ Vendor Advisory
https://github.com/jet-pentest/CVE-2020-29667 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29667, you might also want to check these: