CVE-2015-2804

Alcatel-Lucent OmniSwitch Web Interface Weak Session ID

Severity Score

4.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, and 6855 with firmware before 6.6.4.309.R01 and 6.6.5.x before 6.6.5.80.R02 generates weak session identifiers, which allows remote attackers to hijack arbitrary sessions via a brute force attack.

La gestión de la interfaz web en Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400 y 6855 con firmware en versiones anteriores a 6.6.4.309.R01 y 6.6.5.x en versiones anteriores a 6.6.5.80.R02 genera identificadores de sesión débiles, lo que permite a atacantes remotos secuestrar sesiones arbitrarias a través de un ataque de fuerza bruta.

During a penetration test, RedTeam Pentesting discovered a vulnerability in the management web interface of an Alcatel-Lucent OmniSwitch 6450. This interface uses easily guessable session IDs, which allows attackers to authenticate as a currently logged-in user and perform administrative tasks.

*Credits: N/A

CVSS Scores

NISTv2 4.3

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-03-30 CVE Reserved
2015-06-10 CVE Published
2023-09-16 EPSS Updated
2024-08-06 CVE Updated
2024-08-06 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (5)

URL	Tag	Source
http://www.securityfocus.com/archive/1/535731/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/75125	Vdb Entry

URL	Date	SRC
http://packetstormsecurity.com/files/132235/Alcatel-Lucent-OmniSwitch-Web-Interface-Weak-Session-ID.html	2024-08-06
http://seclists.org/fulldisclosure/2015/Jun/22	2024-08-06
https://www.redteam-pentesting.de/en/advisories/rt-sa-2015-003/-alcatel-lucent-omniswitch-web-interface-weak-session-id	2024-08-06

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.4.5.r02 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.4.5.r02"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6250 Search vendor "Alcatel-lucent" for product "Omniswitch 6250"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.4.5.r02 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.4.5.r02"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6400 Search vendor "Alcatel-lucent" for product "Omniswitch 6400"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.4.5.r02 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.4.5.r02"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6450 Search vendor "Alcatel-lucent" for product "Omniswitch 6450"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.4.5.r02 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.4.5.r02"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6850e Search vendor "Alcatel-lucent" for product "Omniswitch 6850e"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.4.5.r02 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.4.5.r02"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6855 Search vendor "Alcatel-lucent" for product "Omniswitch 6855"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.4.5.r02 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.4.5.r02"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 9000e Search vendor "Alcatel-lucent" for product "Omniswitch 9000e"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.4.6.r01 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.4.6.r01"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6250 Search vendor "Alcatel-lucent" for product "Omniswitch 6250"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.4.6.r01 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.4.6.r01"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6400 Search vendor "Alcatel-lucent" for product "Omniswitch 6400"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.4.6.r01 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.4.6.r01"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6450 Search vendor "Alcatel-lucent" for product "Omniswitch 6450"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.4.6.r01 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.4.6.r01"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6850e Search vendor "Alcatel-lucent" for product "Omniswitch 6850e"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.4.6.r01 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.4.6.r01"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6855 Search vendor "Alcatel-lucent" for product "Omniswitch 6855"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.4.6.r01 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.4.6.r01"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 9000e Search vendor "Alcatel-lucent" for product "Omniswitch 9000e"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.6.4.r01 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.6.4.r01"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6250 Search vendor "Alcatel-lucent" for product "Omniswitch 6250"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.6.4.r01 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.6.4.r01"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6400 Search vendor "Alcatel-lucent" for product "Omniswitch 6400"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.6.4.r01 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.6.4.r01"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6450 Search vendor "Alcatel-lucent" for product "Omniswitch 6450"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.6.4.r01 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.6.4.r01"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6850e Search vendor "Alcatel-lucent" for product "Omniswitch 6850e"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.6.4.r01 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.6.4.r01"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6855 Search vendor "Alcatel-lucent" for product "Omniswitch 6855"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.6.4.r01 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.6.4.r01"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 9000e Search vendor "Alcatel-lucent" for product "Omniswitch 9000e"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.6.5.r02 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.6.5.r02"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6250 Search vendor "Alcatel-lucent" for product "Omniswitch 6250"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.6.5.r02 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.6.5.r02"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6400 Search vendor "Alcatel-lucent" for product "Omniswitch 6400"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.6.5.r02 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.6.5.r02"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6450 Search vendor "Alcatel-lucent" for product "Omniswitch 6450"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.6.5.r02 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.6.5.r02"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6850e Search vendor "Alcatel-lucent" for product "Omniswitch 6850e"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.6.5.r02 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.6.5.r02"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 6855 Search vendor "Alcatel-lucent" for product "Omniswitch 6855"	*	-	Safe
Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch Firmware Search vendor "Alcatel-lucent" for product "Omniswitch Firmware"	<= 6.6.5.r02 Search vendor "Alcatel-lucent" for product "Omniswitch Firmware" and version " <= 6.6.5.r02"	-	Affected	in	Alcatel-lucent Search vendor "Alcatel-lucent"	Omniswitch 9000e Search vendor "Alcatel-lucent" for product "Omniswitch 9000e"	*	-	Safe