CVE-2021-41553
📋 TL;DR
CVE-2021-41553 is a session fixation vulnerability in ARCHIBUS Web Central that allows attackers to hijack user sessions by setting arbitrary JSESSIONID values. This enables unauthorized access to the application without valid credentials. Only affects unsupported versions (21.3.3.815 and similar) from 2014 that are no longer maintained.
💻 Affected Systems
- ARCHIBUS Web Central
📦 What is this software?
Web Central by Archibus
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of any user account, including administrative accounts, leading to data theft, privilege escalation, and full application control.
Likely Case
Unauthorized access to standard user accounts, potentially exposing sensitive business data and enabling further lateral movement.
If Mitigated
Limited impact with proper session management controls, but still presents authentication bypass risk.
🎯 Exploit Status
Exploitation requires only unauthenticated GET request with manipulated JSESSIONID parameter. No special tools or advanced skills needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 26 and all recent versions
Vendor Advisory: https://www.gruppotim.it/redteam
Restart Required: Yes
Instructions:
1. Upgrade to ARCHIBUS Web Central version 26 or later. 2. Restart application services. 3. Verify session management is properly implemented.
🔧 Temporary Workarounds
Web Application Firewall Rules
allImplement WAF rules to block requests with manipulated JSESSIONID parameters or enforce proper session validation.
WAF-specific configuration commands vary by vendor
Network Segmentation
allRestrict access to vulnerable ARCHIBUS instances to trusted networks only.
firewall rules to limit access to specific IP ranges
🧯 If You Can't Patch
- Decommission affected systems immediately as they are unsupported and vulnerable
- Implement strict network access controls and monitor all traffic to vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Test by making unauthenticated GET request to /archibus/login.axvw with arbitrary JSESSIONID parameter and checking if session persists after login.Check Version:
Check ARCHIBUS version in application interface or configuration files (version should be 26 or higher).Verify Fix Applied:
After upgrade, verify that new session tokens are generated upon login and cannot be set client-side.📡 Detection & Monitoring
Log Indicators:
- Multiple sessions with same JSESSIONID
- Unauthenticated requests with JSESSIONID parameters
- Failed login attempts followed by successful access with same session ID
Network Indicators:
- Unusual session ID patterns in HTTP requests
- Multiple users accessing from same session token
SIEM Query:
source="web_logs" AND (uri="/archibus/login.axvw" AND jsessionid=*) | stats count by jsessionid | where count > 1