Full Report
Hasplm cookie does not have a HTTPOnly attribute.
Analysis Summary
# Vulnerability: Hasplm Cookie Missing HTTPOnly Attribute in Sentinel LDK
## CVE Details
- **CVE ID:** CVE-2019-8283
- **CVSS Score:** 4.3 (Medium)
*Note: While the provided text lists a base score of 0.0, the actual CVSS vector provided (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) and NVD records indicate a score of 4.3.*
- **CWE:** CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag)
## Affected Systems
- **Products:** Thales Sentinel LDK (License Development Kit)
- **Versions:** All versions prior to 7.92
- **Configurations:** Systems running the Sentinel License Manager (hasplm) web interface.
## Vulnerability Description
The `hasplm` cookie generated by the Sentinel LDK License Manager does not utilize the `HTTPOnly` attribute. When this flag is missing, the cookie can be accessed by client-side scripts (such as JavaScript). In the event of a Cross-Site Scripting (XSS) vulnerability on the same domain, an attacker can programmatically steal the session cookie, leading to potential session hijacking.
## Exploitation
- **Status:** Unknown (No widely reported public exploits at time of advisory)
- **Complexity:** Low
- **Attack Vector:** Network
- **User Interaction:** Required (Victim must visit a malicious site or click a malicious link to trigger script execution)
## Impact
- **Confidentiality:** Low (Cookie data can be read by malicious scripts)
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
- **Thales Sentinel LDK Version 7.92:** Support for the HTTPOnly attribute was added in this release (02 May 2019). Users should upgrade to this version or newer.
### Workarounds
- Ensure the Sentinel License Manager interface is not exposed to the public internet.
- Implement strict network access control lists (ACLs) to limit access to the `hasplm` interface to trusted administrative IP addresses only.
## Detection
- **Indicators of Compromise:** Unusual administrative activity originating from unauthorized IP addresses may indicate session hijacking.
- **Detection Methods:**
- **Manual Verification:** Inspect browser cookies for the Sentinel License Manager interface; check if the "HTTPOnly" flag is set to `false` or is missing.
- **Vulnerability Scanning:** Use web application security scanners to identify cookies missing security flags.
## References
- **Vendor Advisory:** Thales/Gemalto Sentinel LDK Release Notes
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2019/06/05/klcert-19-030-hasplm-cookie-without-httponly-attribute/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-8283