CVE-2023-40695
📋 TL;DR
IBM Cognos Controller versions 10.4.1, 10.4.2, and 11.0.0 fail to properly invalidate user sessions after logout, allowing an authenticated attacker to reuse old session tokens to impersonate other users. This affects organizations using these specific versions of IBM's financial consolidation software. The vulnerability enables unauthorized access to sensitive financial data and system functions.
💻 Affected Systems
- IBM Cognos Controller
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could gain administrative privileges, access all financial consolidation data, modify financial reports, and potentially pivot to other systems in the environment.
Likely Case
Authenticated users could access other users' sessions to view or modify financial data they shouldn't have access to, leading to data integrity issues and unauthorized information disclosure.
If Mitigated
With proper session management controls and network segmentation, impact would be limited to unauthorized access within the application's data scope.
🎯 Exploit Status
Exploitation requires authenticated access but session reuse is straightforward once initial authentication is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply interim fix or upgrade to latest version
Vendor Advisory: https://www.ibm.com/support/pages/node/7149876
Restart Required: Yes
Instructions:
1. Review IBM advisory 7149876. 2. Apply the interim fix provided by IBM. 3. Restart the Cognos Controller application. 4. Verify session invalidation is working properly.
🔧 Temporary Workarounds
Session Timeout Reduction
allReduce session timeout values to minimize window for session reuse attacks
Configure in Cognos Controller administration settings
Network Segmentation
allRestrict access to Cognos Controller to only authorized users and networks
Implement firewall rules and network access controls
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual session activity
- Educate users to completely close browsers after logout and use private browsing sessions
🔍 How to Verify
Check if Vulnerable:
Check IBM Cognos Controller version in administration console or via installed software inventoryCheck Version:
Check version in Cognos Controller web interface or installation directoryVerify Fix Applied:
Test session invalidation by logging in, logging out, then attempting to reuse session token📡 Detection & Monitoring
Log Indicators:
- Multiple sessions from same user with overlapping timestamps
- Session reuse after logout events
- Access from unusual IP addresses with valid sessions
Network Indicators:
- Multiple authentication requests followed by session reuse patterns
SIEM Query:
source="cognos_controller" AND (event="session_reuse" OR (event="logout" AND subsequent_event="session_access"))