Environment
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Support Pack 3 applied
Novell Access Manager 3.1 Support Pack 3 applied
Situation
Certain URLs are generated during the authentication process between the browser and the Novell Access Gateway servers. These URLs include cookie details, which may be intercepted and modified with the goal of hijacking a user session. One such example includes the following :
https://esp.novell.com:443/LAGBroker\%3F\%2522https://test.int.novell.com:443/pdf/nomerisorsa.pdf%20-CIPCZQX03a36c6c0a=X where X can be identified, modified and/or replayed with any value.
Users could potentially tamper the request url, and pass something else as the X value above. When this happens, the ics_dyn process would end up doing 'Set-Cookie' with the value specified causing the session to be invalidated. Potential checks needed include
1) need to check if the cookie is really a valid cookie at the session broker
2) need to check if this request was indeed sent from LAG and not by a rogue service
https://esp.novell.com:443/LAGBroker\%3F\%2522https://test.int.novell.com:443/pdf/nomerisorsa.pdf%20-CIPCZQX03a36c6c0a=X where X can be identified, modified and/or replayed with any value.
Users could potentially tamper the request url, and pass something else as the X value above. When this happens, the ics_dyn process would end up doing 'Set-Cookie' with the value specified causing the session to be invalidated. Potential checks needed include
1) need to check if the cookie is really a valid cookie at the session broker
2) need to check if this request was indeed sent from LAG and not by a rogue service
Resolution
Apply Access Manager 3.1 Support Pack 3 Interim Release 1 or greater (3.1.3-273) and enable the following touch files:
1) touch /var/novell/.obfuscateCookieInUrl - this will cause this LAG to mangle the cookie whenever it is included in the url (for cross domain cases). The reason we include it as a touch file is to handle the case where there exists one LAG in the cluster on an older build that does not understand this mangling scheme. If this is the case, there is a possibility of encountering infinite redirect loops. It is recommended to enable this touch file only when all the LAG boxes in the cluster are upgraded to this build ie. to 3.1.3-273 or greater.
2) touch /var/novell/.checkCrossDomainCookieWithSB - this will cause LAG to check with SessionBroker for the validity of the cookie coming in the URL, before trying to do a 'set-cookie' on the browser.
Note:- there is no need for apply configuration changes, or restart for these to take effect.
1) touch /var/novell/.obfuscateCookieInUrl - this will cause this LAG to mangle the cookie whenever it is included in the url (for cross domain cases). The reason we include it as a touch file is to handle the case where there exists one LAG in the cluster on an older build that does not understand this mangling scheme. If this is the case, there is a possibility of encountering infinite redirect loops. It is recommended to enable this touch file only when all the LAG boxes in the cluster are upgraded to this build ie. to 3.1.3-273 or greater.
2) touch /var/novell/.checkCrossDomainCookieWithSB - this will cause LAG to check with SessionBroker for the validity of the cookie coming in the URL, before trying to do a 'set-cookie' on the browser.
Note:- there is no need for apply configuration changes, or restart for these to take effect.
Additional Information
Credit for reporting this issue to Alessandro Armando (U. of Genova and FBK), Roberto Carbone (FBK), Fabio Carraro (U. of Genova) in the context of the SPaCIoS and SIAM Projects and a research contract sponsored by Datasiel.