HKUDS OpenHarness Session Key Derivation Vulnerability Allowing Session Hijacking

A session key derivation vulnerability has been identified in HKUDS OpenHarness versions prior to the PR #159 remediation. This vulnerability allows authenticated users in shared chats or threads to hijack the sessions of other users. The issue arises from a shared session key that does not verify sender identity, enabling attackers to reuse another user's conversation state and disrupt their ongoing tasks by interfering with the same session boundary within the shared chat or thread.

Impact

Exploitation of this vulnerability could lead to unauthorized session hijacking, allowing attackers to impersonate other users and disrupt their activities by interfering with their conversation state and active tasks.

Reproduction

To reproduce this vulnerability, an authenticated user can join a shared chat or thread. Once in the same chat or thread, the user can exploit the shared session key, which lacks sender identity verification, to hijack another user's session. This can be done by colliding into the same session boundary through the shared chat or thread scope, thereby taking over the other user's conversation state and active tasks.

Remediation

Users are advised to update to the version of HKUDS OpenHarness that includes the PR #159 remediation.