dormakaba Access Manager Insufficient Session Management Vulnerability

A vulnerability exists in the dormakaba Access Manager that allows for insufficient session management. Instead of using traditional session tokens or cookies, the system verifies authentication on a per-request basis by checking if the originating IP address has previously logged in successfully. Once an authentication request from a specific IP address is successful, that IP is considered authenticated without any session information being stored. This design allows for the possibility of spoofing the IP address of a logged-in user to gain unauthorized access to the Access Manager web interface.

Impact

Exploitation of this vulnerability allows an attacker to gain unauthorized access to the Access Manager web interface by spoofing the IP address of a logged-in user.

Reproduction

To reproduce this vulnerability, first log into the Access Manager web interface from a specific IP address. Once logged in, all subsequent requests from that IP address will be authenticated without the need for a session token or cookie. This can be demonstrated by logging in and then sending requests that require authentication, such as accessing the web interface or using the SOAP API to control connected access managers.

Remediation

Users are advised to update to the latest version of the dormakaba Access Manager 9200-K7, where this issue has been addressed. For Access Manager 9200-K5, which does not support the necessary updates, it is recommended to replace the hardware with a newer version.