ScadaBR Session Fixation Vulnerability Allowing Session Hijacking

A session fixation vulnerability has been identified in ScadaBR versions 1.12.4, 0.9, 1.0CE, and the ScadaBR Virtual Machine image referenced by OpenPLC documentation. The vulnerability arises because the application assigns a JSESSIONID session cookie to unauthenticated users and fails to regenerate the session identifier after successful authentication. Consequently, a session created before login becomes authenticated once the user logs in, enabling an attacker who knows the session ID to hijack the authenticated session.

Impact

Exploitation of this vulnerability allows an attacker to hijack an authenticated session in ScadaBR, gaining unauthorized access to SCADA monitoring pages and other authenticated features until the user logs out or the session expires.

Reproduction

To reproduce this vulnerability, open Browser A and navigate to the ScadaBR watch list page. This will redirect to the login page. Capture the pre-authentication JSESSIONID cookie from Browser A's developer tools. Then, open Browser B and overwrite its JSESSIONID cookie with the value obtained from Browser A. After logging in with valid credentials in Browser A, Browser B can access authenticated content using the hijacked session. Logging out from Browser A will terminate the session, cutting off access in Browser B.

Remediation

To address this vulnerability, ScadaBR should regenerate the session identifier upon successful authentication and ensure that cookies are set with appropriate flags, such as HttpOnly, Secure (with HTTPS), and SameSite where applicable. Enforcing HTTPS can also help reduce the risk of session theft over the network.