CVE-2024-23679
📋 TL;DR
Enonic XP versions before 7.7.4 have a session fixation vulnerability where session attributes aren't properly invalidated. This allows remote unauthenticated attackers to hijack user sessions by using previously established session IDs. All Enonic XP deployments running vulnerable versions are affected.
💻 Affected Systems
- Enonic XP
📦 What is this software?
Xp by Enonic
Xp by Enonic
Xp by Enonic
Xp by Enonic
Xp by Enonic
Xp by Enonic
Xp by Enonic
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through session hijacking leading to unauthorized access, data theft, privilege escalation, and potential remote code execution.
Likely Case
Unauthorized access to user accounts, data exposure, and potential administrative access to the Enonic XP system.
If Mitigated
Limited impact with proper session management controls, but still potential for unauthorized access to some user accounts.
🎯 Exploit Status
Session fixation attacks are well-understood and relatively easy to execute once the vulnerability is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.7.4
Vendor Advisory: https://github.com/advisories/GHSA-4m5p-5w5w-3jcf
Restart Required: Yes
Instructions:
1. Backup your Enonic XP instance. 2. Upgrade to Enonic XP version 7.7.4 or later. 3. Restart the Enonic XP service. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Session Management Enhancement
allImplement custom session validation and invalidation logic to supplement the vulnerable session handling.
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to Enonic XP instances.
- Deploy a web application firewall (WAF) with session fixation protection rules enabled.
🔍 How to Verify
Check if Vulnerable:
Check the Enonic XP version in the admin interface or via system properties. If version is less than 7.7.4, the system is vulnerable.Check Version:
Check the version in the Enonic XP admin dashboard or review the system properties file.Verify Fix Applied:
Verify the version is 7.7.4 or higher and test session management functionality.📡 Detection & Monitoring
Log Indicators:
- Multiple session creations from same IP with different session IDs
- Unauthorized access attempts using known session IDs
Network Indicators:
- Unusual session ID reuse patterns
- Multiple authentication requests with different session tokens
SIEM Query:
source="enonic-xp" AND (event="session_creation" OR event="authentication") | stats count by src_ip, session_id🔗 References
- https://github.com/advisories/GHSA-4m5p-5w5w-3jcf
- https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
- https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
- https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
- https://github.com/enonic/xp/issues/9253
- https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
- https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf
- https://github.com/advisories/GHSA-4m5p-5w5w-3jcf
- https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
- https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
- https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
- https://github.com/enonic/xp/issues/9253
- https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
- https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf
