Truesec LAPSWebUI Insufficient Session Expiration Vulnerability Allowing Privilege Escalation

A vulnerability exists in Truesec's LAPSWebUI prior to version 2.4, where insufficient session expiration allows an attacker with access to a workstation to escalate privileges by disclosing the local admin password. This issue arises because the application does not invalidate session cookies server-side, enabling prolonged access even after a significant delay. The default browser setting to clear session cookies can be overridden, leading to indefinite login states. Additionally, the application's logout function only disconnects from Entra ID, not from LAPSWebUI itself.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation by allowing access to sensitive administrative credentials.

Reproduction

The vulnerability can be reproduced by accessing Truesec LAPSWebUI with the 'Force Reauth on Password request' setting disabled. After logging in via Entra ID, a session cookie is created. This cookie can be used to retrieve the local admin password even after an extended period, such as 13 days, demonstrating the lack of session expiration.

Remediation

Users are advised to update to LAPSWebUI version 2.4 or later. If an immediate update is not possible, the 'Force Reauth on Password request' setting can be enabled in the server's 'appsettings.json' file to require Entra ID sign-in before displaying passwords.