Session hijacking in the WebSocket communication layer #1037
Description
A session hijacking vulnerability affects the Hyperledger Fabric Smart Client's WebSocket communication layer. The issue arises because the server routes incoming messages to sessions based solely on a combination of SessionID and FromPKID, without verifying the authenticity of the sender. This allows an attacker to inject messages into an existing session by spoofing both values during the WebSocket handshake and message transmission. The vulnerability compromises session integrity and authentication, enabling unauthorized message injection. A proper fix would involve authenticating the peer identity during the WebSocket handshake and binding session routing to verified credentials rather than untrusted metadata.
An attacker exploiting this vulnerability would follow a sequence of steps to hijack an active session between two legitimate nodes. First, they observe or guess a predictable SessionID used in a session between a client and a server. Then, they establish a raw WebSocket connection directly to the server, bypassing the usual Smart Client setup. During the handshake, they spoof the FromPKID to impersonate the legitimate client and set the SessionID to match the target session. Because the server uses only these two fields to identify and route messages, it accepts the stream and delivers the attacker's payload into the existing session, as if it came from the legitimate peer. This allows the attacker to inject arbitrary messages that are received and processed by the honest participant, effectively hijacking the session. The vulnerability stems from the lack of cryptographic binding between the claimed identity and the actual peer initiating the connection.