SMC Cookie secure flag

SMC Cookie secure flag

Advisory ID	CVE Number	Date discovered	Severity	Advisory revision
STORM-2019-021		05/09/2019	high	v1

Vulnerability details

An attacker can steal a session cookie with a MitM attack.

Impacted products

Products	Severity	Detail
Stormshield Network Security	high	fixed

Revisions

Version	Date	Description
v1		Initial release

Stormshield Network Security

CVSS v2 Overall Score: 7.4

Analysis	Impacted version
An attacker might steal a session cookie, while doing a MitM attack and sending non-SSL URL to an administrator.	SMC 1.0.0 to 2.6.1

Workaround solution	Solution
Sensitize administrators to not click on suspicious links.	The 2.6.2 update will fix this vulnerability.

Access vector	Access complexity	Authentication	Confidentiality impact	Integrity impact	Availability impact
Network	High	None	Complete	Partial	Partial

CVSS Base score: 6.6	CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:P/A:P)

Exploitability	Remediation Level	Report Confidence
High	Official fix	Confirmed

CVSS Temporal score: 5.7	CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:P/A:P/E:H/RL:OF/RC:C)

Collateral Damage Potential	Target Distribution
Medium-High	High [76-100%]

CVSS Environmental score: 7.4	CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:P/A:P/E:H/RL:OF/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)

RSS Feed Contact Report a vulnerability Legal terms STORMSHIELD Corporate website Personal Data