"Remember Me" Cookied Login Vulnerabilities

Summary

We have identified several weaknesses in the cookied login progress that would allow a sophisticated attacker to access the CMS as another user using only "remember me" cookies.

Cookie authenticity

Cookies were not expired or validated on the application side. It was previously possible to acquire a user's cookie, and, regardless of age, use it to gain access to the CMS. A valid expiration date was set in the cookie but not enforced in the application. Note that while the cookie itself was securely stored in the browser, the application was not taking the appropriate steps to verify its age and authenticity.

Cookie hijacking

It was possible to hijack a user's "remember me" cookies by embedding a script within a page served up by CMS application.

It was also possible to login to a Custom Authentication user account using a valid "remember me" cookie even though Custom Authentication users cannot generate "remember me" cookies through the normal login process.

Weak cookie encryption

The unique value stored in the cookie was weakly encrypted and vulnerable to brute force attack or to an attack where a sophisticated user reverse engineered and manufactured valid cookie values on behalf of users.

Remediation

If you are an on-premise Cascade CMS customer, please update to Cascade CMS 8.22.1 or later as soon as possible.

If you are a Cascade Cloud customer, your system has already been patched.