Session ID Randomness - [OWASP 2010 A 3] vulnerability found on ZCC page

  • 7012764
  • 02-Jul-2013
  • 04-Nov-2013


Novell ZENworks Configuration Management 11.2.3


Session IDs with insufficient randomness are vulnerable to brute force session guessing attacks.


The URL used in the bug is https://<server>/zenworks-setup?locale=en which is not a authenticated url. The ZCC authenticated URLs we have are properly generating the random session id by the Tomcat. So this is a false Positive with pertaining to ZCM setup page. This will not cause any vulnerability for ZCM


This SmartAttack performs a “Runs Test” algorithm on observed session IDs and their predictive values (p-values) are calculated. The SmartAttack reports each session ID that does not found to be sufficiently random.


Security Alert

Additional Information

Assigned CVE-2013-3699

An attacker might gain an unauthorized access to an authenticated user’s session. This can lead to exposure of confidential information, identify theft, and disruption of operations. Users may loose complete control over their accounts. Non-random session IDs result in a possibility of guessing session ID values in a fairly reliable way. This makes the session brute forcing easier for the attacker.