In October 2021, a critical vulnerability was reported in Lanner Inc's IAC-AST250A standard firmware (version 1.10.) and was assigned CVE-2021-46279 by the Common Vulnerabilities and Exposures (CVE) system. The vulnerability involves two issues – session fixation and insufficient session expiration – which, when combined, allow an attacker to perform session hijacking attacks against users. This blog post aims to provide a detailed overview of the vulnerability, including code snippets, links to original references, and exploit details.

The affected device – Lanner Inc IAC-AST250A

The IAC-AST250A is an intelligent access control system designed for secure access management and monitoring, specifically targeting applications in critical infrastructure and industry 4. environments. The device is equipped with the standard firmware, which was discovered to have the vulnerability in question.

Session Fixation

Session fixation is a type of vulnerability where an attacker can initiate a session with an application and then force that same session on a victim, giving the attacker control over the victim's session. In the case of IAC-AST250A's vulnerability, an attacker can create a session and obtain the session ID before the victim logs into the application. Once the victim logs in, the attacker can use the previously acquired session ID to hijack the victim's session.

Code snippet of session fixation

// Sample code to demonstrate session fixation

// Attacker initiates a session
GET /login HTTP/1.1
Set-Cookie: session_id=123ABC

// Victim logs in using attacker session ID
POST /login HTTP/1.1
Cookie: session_id=123ABC
User credentials

// Attacker uses victim's session
GET /userdata HTTP/1.1
Cookie: session_id=123ABC

Insufficient Session Expiration

Insufficient session expiration occurs when an application does not effectively expire sessions after a set period of inactivity or following a user's logout, allowing an attacker to reuse the session and gain unauthorized access to the application. The insufficient session expiration vulnerability found in the IAC-AST250A firmware makes it possible for an attacker to reuse older session IDs, thus increasing the likelihood of a successful session hijacking attack.

Code snippet of insufficient session expiration

// Sample code to demonstrate insufficient session expiration

// Victim logs out
POST /logout HTTP/1.1
Cookie: session_id=123ABC

// Server returns an invalid session message but does not expire the session
HTTP/1.1 200 OK
Content-Type: application/json
  "message": "Session invalid"

// Attacker continues to use the same session ID, gaining unauthorized access
GET /sensitive-data HTTP/1.1
Cookie: session_id=123ABC

Exploit details

To exploit these combined vulnerabilities, an attacker can create a malicious website that initializes a new session with the IAC-AST250A server and acquires the session ID. The attacker then needs to trick the victim into visiting the malicious website, completing the login process, and using the attacker-initiated session. Once this is completed, the attacker can take control of the victim's session using the acquired session ID, accessing sensitive information and performing actions on behalf of the victim.


The vendor, Lanner Inc, was notified of the vulnerability and has released a firmware update (version 1.10.1) to address the issue. Users of IAC-AST250A devices are urged to apply the update as soon as possible to minimize the risk of being affected by this vulnerability.

Original references

1. CVE-2021-46279 - NVD
2. Lanner Inc IAC-AST250A Product Page
3. Firmware Update - Lanner Inc


The CVE-2021-46279 vulnerability in Lanner Inc's IAC-AST250A firmware highlights the importance of properly managing session IDs and ensuring effective session expiration in web applications. Keeping software and firmware up-to-date is crucial for maintaining a strong security posture and protecting sensitive information in critical environments.


Published on: 10/24/2022 14:15:00 UTC
Last modified on: 10/24/2022 18:40:00 UTC