CVE-2024-58317
📋 TL;DR
A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. This could allow session hijacking or authentication bypass if cookies are intercepted over unencrypted connections. The vulnerability affects .NET Framework projects using Kentico Xperience.
💻 Affected Systems
- Kentico Xperience
📦 What is this software?
Xperience by Kentico
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept administration session cookies over unencrypted connections, leading to full administrative access compromise and potential data breach.
Likely Case
Session hijacking of administrative users when they access the system over insecure networks, allowing unauthorized administrative actions.
If Mitigated
Limited impact if proper network segmentation and monitoring are in place, though authentication bypass risk remains.
🎯 Exploit Status
Exploitation requires ability to intercept or manipulate network traffic to target system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Kentico hotfixes for specific version
Vendor Advisory: https://devnet.kentico.com/download/hotfixes
Restart Required: Yes
Instructions:
1. Download appropriate hotfix from Kentico DevNet. 2. Apply hotfix to affected Kentico Xperience installation. 3. Restart application/services. 4. Verify web.config cookie settings enforce requireSSL.
🔧 Temporary Workarounds
Manual web.config hardening
windowsManually configure cookie settings in web.config to enforce SSL requirements
Edit web.config to ensure <httpCookies requireSSL="true" /> is properly configured
🧯 If You Can't Patch
- Implement strict network segmentation to isolate administration interfaces
- Deploy WAF rules to detect and block cookie manipulation attempts
🔍 How to Verify
Check if Vulnerable:
Inspect web.config for <httpCookies> configuration and verify requireSSL attribute is properly set and enforced.Check Version:
Check Kentico administration interface for version information or inspect assembly versions.Verify Fix Applied:
Test administration cookie transmission over HTTP to confirm SSL requirement is enforced.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with manipulated cookies
- Administration access from unexpected IPs
Network Indicators:
- HTTP requests attempting to set administration cookies without SSL
- Cookie manipulation attempts in network traffic
SIEM Query:
source="web_server" AND (cookie="admin" OR cookie="authentication") AND protocol="HTTP"