CVE-2024-25977
📋 TL;DR
This vulnerability allows session fixation attacks where an attacker can set a victim's session token before login, then hijack their authenticated session after they log in. It affects applications that don't regenerate session tokens during authentication. Users of vulnerable HAWKI software versions are affected.
💻 Affected Systems
- HAWKI software
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover leading to unauthorized access, data theft, privilege escalation, and lateral movement within the system.
Likely Case
Attacker gains access to victim's account and can perform actions as that user, potentially accessing sensitive data and functionality.
If Mitigated
Limited to initial access attempts that fail due to proper session management controls.
🎯 Exploit Status
Exploitation requires XSS or ability to set cookies in victim's browser, but the session fixation itself is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version including commit 146967f3148e92d1640ffebc21d8914e2d7fb3f1
Vendor Advisory: https://r.sec-consult.com/hawki
Restart Required: Yes
Instructions:
1. Update to latest HAWKI version. 2. Apply commit 146967f3148e92d1640ffebc21d8914e2d7fb3f1. 3. Restart application services. 4. Invalidate all existing sessions.
🔧 Temporary Workarounds
Session Regeneration Middleware
allImplement middleware that regenerates session ID on authentication state changes
Implement session_regenerate_id() or equivalent after login/logout
HTTPOnly and Secure Cookie Flags
allSet session cookies with HttpOnly and Secure flags to prevent JavaScript access
Set-Cookie: sessionid=xxx; HttpOnly; Secure; SameSite=Strict
🧯 If You Can't Patch
- Implement web application firewall rules to detect and block session fixation attempts
- Enable multi-factor authentication to reduce impact of session hijacking
🔍 How to Verify
Check if Vulnerable:
Test if session token changes after login/logout operations. If same token persists, system is vulnerable.Check Version:
Check HAWKI version or verify commit 146967f3148e92d1640ffebc21d8914e2d7fb3f1 is appliedVerify Fix Applied:
Confirm session token changes after successful login and logout operations.📡 Detection & Monitoring
Log Indicators:
- Multiple login attempts with same session ID
- Session IDs used from unexpected locations
- Login without new session creation
Network Indicators:
- Cookies being set before authentication
- Session IDs in URL parameters
SIEM Query:
session_id BEFORE login AND session_id AFTER login | where session_id matches🔗 References
- http://seclists.org/fulldisclosure/2024/May/34
- https://github.com/HAWK-Digital-Environments/HAWKI/commit/146967f3148e92d1640ffebc21d8914e2d7fb3f1
- https://r.sec-consult.com/hawki
- http://seclists.org/fulldisclosure/2024/May/34
- https://github.com/HAWK-Digital-Environments/HAWKI/commit/146967f3148e92d1640ffebc21d8914e2d7fb3f1
- https://r.sec-consult.com/hawki
