Source: ntopng
Version: 3.2+dfsg1-1
Severity: important
Tags: patch security upstream

Hi,

The following vulnerability was published for ntopng.

CVE-2018-12520[0]:
| An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG
| involved in the generation of session IDs is not seeded at program
| startup. This results in deterministic session IDs being allocated for
| active user sessions. An attacker with foreknowledge of the operating
| system and standard library in use by the host running the service and
| the username of the user whose session they're targeting can abuse the
| deterministic random number generation in order to hijack the user's
| session, thus escalating their access.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-12520
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12520
[1] http://seclists.org/fulldisclosure/2018/Jul/14
[2] 
https://github.com/ntop/ntopng/commit/30610bda60cbfc058f90a1c0a17d0e8f4516221a

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to