Environment
Novell ZENworks Configuration Management 11.2.3
Situation
Session IDs with insufficient randomness are vulnerable to brute force session
guessing attacks.
Resolution
The URL used in the bug is https://<server>/zenworks-setup?locale=en which is not a
authenticated url. The ZCC authenticated URLs we have are properly
generating the random session id by the Tomcat. So this is a false Positive with pertaining to ZCM setup page.
This will not cause any vulnerability for ZCM
Cause
This SmartAttack performs
a “Runs Test” algorithm on observed session IDs and their predictive values
(p-values) are calculated. The SmartAttack
reports each session ID that does not found to be sufficiently random.
Status
Security AlertAdditional Information
Assigned CVE-2013-3699
An attacker might gain an unauthorized access to an authenticated user’s session. This can lead to exposure of confidential information, identify theft, and disruption of operations. Users may loose complete control over their accounts. Non-random session IDs result in a possibility of guessing session ID values in a fairly reliable way. This makes the session brute forcing easier for the attacker.
An attacker might gain an unauthorized access to an authenticated user’s session. This can lead to exposure of confidential information, identify theft, and disruption of operations. Users may loose complete control over their accounts. Non-random session IDs result in a possibility of guessing session ID values in a fairly reliable way. This makes the session brute forcing easier for the attacker.