Security Vulnerability PEN test reveals Predictable IPCQZX03 Session cookies set by Access Gateway

  • 7015554
  • 19-Aug-2014
  • 19-Aug-2014

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager Access Gateway

Situation

A PEN test was carried out checking session creation on an Access Gateway, where the session cookie generated was studied for predictions. It was noted that 25 of the 40 fields in the cookie remain the same, whilst 15 are variable. With the ability to access the session info, customer was concerned that it may be possible to predict the next session cookie the AG will set.

Resolution

The OWASP recommends at least 128 bits of length for session id. The Access Gateway currently has a 160 bits length, of which 64 bits are random. Also, given 64 bits are truly random in session id, the next valid session_id cannot be guessed.

Quoting from OWASP URL at https://www.owasp.org/index.php/Insufficient_Session-ID_Length

"Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years."

NetIQ are evaluating if the random bits can be increased to 128 bits in a future version.