Session ID Randomness - [OWASP 2010 A 3] vulnerability found on ZCC page

  • 7012764
  • 02-Jul-2013
  • 04-Nov-2013

Environment

Novell ZENworks Configuration Management 11.2.3

Situation

Session IDs with insufficient randomness are vulnerable to brute force session guessing attacks.

Resolution

The URL used in the bug is https://<server>/zenworks-setup?locale=en which is not a authenticated url. The ZCC authenticated URLs we have are properly generating the random session id by the Tomcat. So this is a false Positive with pertaining to ZCM setup page. This will not cause any vulnerability for ZCM

Cause

This SmartAttack performs a “Runs Test” algorithm on observed session IDs and their predictive values (p-values) are calculated. The SmartAttack reports each session ID that does not found to be sufficiently random.

Status

Security Alert

Additional Information

Assigned CVE-2013-3699

An attacker might gain an unauthorized access to an authenticated user’s session. This can lead to exposure of confidential information, identify theft, and disruption of operations. Users may loose complete control over their accounts. Non-random session IDs result in a possibility of guessing session ID values in a fairly reliable way. This makes the session brute forcing easier for the attacker.