Positive Technologies MaxPatrol 8 and XSpider Remote Denial-of-Service Vulnerability

A remote denial-of-service vulnerability has been identified in Positive Technologies MaxPatrol 8 and XSpider, both versions through September 2020. The issue resides in the client communication service on TCP port 2002, where the service generates a new session identifier for each incoming connection without properly limiting concurrent requests. This flaw allows an unauthenticated remote attacker to repeatedly send HTTPS requests to the service, leading to excessive session identifier allocation. Under heavy load, collisions may occur, causing active client sessions to disconnect and disrupting the service.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by forcing active client sessions to disconnect, leading to service disruption.

Reproduction

To reproduce this vulnerability, connect to a server using the MaxPatrol 8 client. Then, open a web browser and navigate to the server's TCP port 2002. Press F5 repeatedly to refresh the page. This action will overload the server by causing session identifier collisions, which can take 1 to 4 minutes to disrupt the MaxPatrol 8 application.