CVE-2024-45651
📋 TL;DR
IBM Sterling Connect:Direct Web Services versions 6.1.0, 6.2.0, and 6.3.0 fail to properly invalidate user sessions when a browser is closed. This allows an authenticated attacker who gains access to a session token to impersonate another user, potentially accessing unauthorized data or performing unauthorized actions. Only users of these specific IBM Sterling Connect:Direct Web Services versions are affected.
💻 Affected Systems
- IBM Sterling Connect:Direct Web Services
📦 What is this software?
Sterling Connect Direct Web Services by Ibm
View all CVEs affecting Sterling Connect Direct Web Services →
⚠️ Risk & Real-World Impact
Worst Case
An attacker with access to a valid session token could impersonate any authenticated user, potentially gaining administrative privileges, accessing sensitive data, or performing unauthorized file transfers and system operations.
Likely Case
An authenticated user could reuse a session token from another user's browser session to access that user's data and perform actions within their permissions, leading to data exposure and unauthorized operations.
If Mitigated
With proper session management controls and monitoring, the impact is limited to temporary unauthorized access until sessions naturally expire or are manually invalidated.
🎯 Exploit Status
Exploitation requires an attacker to obtain a valid session token through means like session hijacking, token theft, or accessing browser session storage.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply interim fix or upgrade as per IBM advisory
Vendor Advisory: https://www.ibm.com/support/pages/node/7231178
Restart Required: Yes
Instructions:
1. Review IBM advisory at provided URL. 2. Apply recommended interim fix or upgrade to a non-vulnerable version. 3. Restart IBM Sterling Connect:Direct Web Services. 4. Verify session invalidation occurs on browser closure.
🔧 Temporary Workarounds
Enforce Session Timeout
allConfigure application or web server to enforce short session timeout periods to limit exposure window.
Configure session timeout in application server settings (e.g., web.xml for Java apps)
Implement Session Management Controls
allUse additional session security controls like secure cookies, HTTP-only flags, and same-site attributes.
Set session cookie attributes: Secure, HttpOnly, SameSite=Strict
🧯 If You Can't Patch
- Implement network segmentation to restrict access to vulnerable systems only to trusted users.
- Monitor and audit user sessions for unusual activity or multiple concurrent sessions from different locations.
🔍 How to Verify
Check if Vulnerable:
Check IBM Sterling Connect:Direct Web Services version via administrative interface or configuration files. If version is 6.1.0, 6.2.0, or 6.3.0, it is vulnerable.Check Version:
Check version in application logs, configuration files, or via administrative console specific to deployment.Verify Fix Applied:
After applying fix, test by logging in, closing browser, and attempting to reuse session token. Access should be denied.📡 Detection & Monitoring
Log Indicators:
- Multiple login events from same session ID from different IPs
- Session creation without corresponding logout
- Unusual user activity patterns
Network Indicators:
- Reuse of session tokens across different client IPs
- Session cookies transmitted without secure flags
SIEM Query:
source="*sterling*" AND (event="session_reuse" OR (user="*" AND ip_change_during_session))