Revive Adserver Security Advisory REVIVE-SA-2021-005

• Advisory ID: REVIVE-SA-2021-005
• CVE-IDs: CVE-2021-22948
• Date: 2021-09-14
• Risk Level: Low
• Applications affected: Revive Adserver
• Versions affected: <= 5.3.0
• Versions not affected: >= 5.3.0
• Website: https://www.revive-adserver.com/

Vulnerability: Broken or Risky Cryptographic Algorithm

• Vulnerability type: Use of a Broken or Risky  cryptographic Algorithm [CWE-327]
• CVE-ID: CVE-2021-22948
• CVSSv3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
• CVSS Base Score: 6.5
• CVSS Impact Subscore: 4.2
• CVSS Exploitability Subscore: 2.2

Description

A security researcher has reported a vulnerability in the generation of session IDs, based on the cryptographically insecure uniqid() PHP function. Under some circumstances, an attacker could theoretically be able to brute force session IDs in order to take over a specific account.

Details

The uniqid() PHP function was used to generate session identifiers and CSRF tokens, albeit with “more_entropy” enabled. Both have been switched to the CSPRNG  random_bytes() function.

References

• https://hackerone.com/reports/1306942
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22948
• https://github.com/revive-adserver/revive-adserver/commit/a4e69288
• https://cwe.mitre.org/data/definitions/327.html

Solution

We strongly advise people to upgrade to the most recent 5.3.0 version of Revive Adserver, or whatever happens to be the current release at the time of reading this security advisory.

Contact Information

The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>

Please review https://www.revive-adserver.com/security/ before doing so.