Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2018-12520
Analyzed
More InfoOfficial Page
Source-cve@mitre.org
View Known Exploited Vulnerability (KEV) details
Published At-05 Jul, 2018 | 20:29
Updated At-10 Feb, 2024 | 03:01

An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG involved in the generation of session IDs is not seeded at program startup. This results in deterministic session IDs being allocated for active user sessions. An attacker with foreknowledge of the operating system and standard library in use by the host running the service and the username of the user whose session they're targeting can abuse the deterministic random number generation in order to hijack the user's session, thus escalating their access.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.1HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.06.8MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 6.8
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CPE Matches
ntop
ntop
>>ntopng>>Versions from 3.4(inclusive) to 3.4.180617(exclusive)
cpe:2.3:a:ntop:ntopng:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-335Primarynvd@nist.gov
CWE ID: CWE-335
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://seclists.org/fulldisclosure/2018/Jul/14cve@mitre.org
Exploit
Mailing List
Third Party Advisory
https://gist.github.com/Psychotropos/3e8c047cada9b1fb716e6a014a428b7fcve@mitre.org
Exploit
https://github.com/ntop/ntopng/commit/30610bda60cbfc058f90a1c0a17d0e8f4516221acve@mitre.org
Patch
https://www.exploit-db.com/exploits/44973/cve@mitre.org
Exploit
VDB Entry
Third Party Advisory
Hyperlink: http://seclists.org/fulldisclosure/2018/Jul/14
Source: cve@mitre.org
Resource:
Exploit
Mailing List
Third Party Advisory
Hyperlink: https://gist.github.com/Psychotropos/3e8c047cada9b1fb716e6a014a428b7f
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: https://github.com/ntop/ntopng/commit/30610bda60cbfc058f90a1c0a17d0e8f4516221a
Source: cve@mitre.org
Resource:
Patch
Hyperlink: https://www.exploit-db.com/exploits/44973/
Source: cve@mitre.org
Resource:
Exploit
VDB Entry
Third Party Advisory
Change History
0Changes found
Details not found