Executive Summary

This vulnerability exists in the Microsoft UFO open-source framework for intelligent automation. In versions 3.0.1-4-ge2626659, the framework accepts client-supplied session_id values in WebSocket task messages and reuses an existing in-memory session object if that session_id already exists.

If a prior session has completed but still remains in memory with its results, a different authenticated client can send a new TASK message using the same session_id. The server then re-enters the existing session object and sends the stale stored result to the new requester.

This creates an authenticated cross-client stale result replay issue, meaning that an attacker who knows or can predict a live or recently completed session_id can receive outdated or stale results from another user's session.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker to access stale or outdated results from another user's session. This could lead to information disclosure where sensitive or confidential data from a previous session is exposed to an unauthorized client.

Since the attacker must be authenticated and know or predict a valid session_id, the risk is somewhat limited but still significant, especially if the stale results contain sensitive information.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows disclosure of stale session outputs, workflow data, or device-derived results to unauthorized parties due to reuse of client-supplied session IDs in Microsoft UFO. Such unauthorized data disclosure can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information to prevent unauthorized access.

Because the issue involves authenticated attackers accessing data from other sessions without proper validation, it may violate principles of data confidentiality and access control required by these standards.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, ensure that the Microsoft UFO framework is updated to a version later than v3.0.1 through 4-ge2626659 where this issue is fixed.

Additionally, restrict access to authenticated clients only and avoid sharing or allowing reuse of client-supplied session_id values without proper validation.

Monitor and control session management to prevent reuse of stale session objects and ensure session IDs are unique and not predictable.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring WebSocket traffic for client-supplied session_id values and identifying reuse of session IDs across different authenticated clients.

Since the vulnerability requires knowledge or prediction of session_id values, you can look for repeated session_id values in WebSocket TASK messages from different clients.

Commands or methods to detect this might include capturing WebSocket traffic using tools like Wireshark or tcpdump and filtering for WebSocket frames containing session_id fields.

• Use tcpdump to capture WebSocket traffic on the relevant port: tcpdump -i <interface> -w capture.pcap port <websocket_port>
• Analyze the capture with Wireshark, filtering for WebSocket frames and inspecting session_id values for reuse across different client IPs or sessions.
• Alternatively, use WebSocket debugging tools or scripts to parse logs or traffic and identify repeated session_id usage.

Note that detection requires authenticated access to the system or network traffic where these WebSocket messages are exchanged.

Useful 0 Not Useful 0