Rest API UUID (122 Bit) and security concerns

book

Article ID: 197228

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

Pen testing was conducted  and it was determined that UUIDs are passed through the APM REST API in the authentication token, which opens up the potential for man-in-the-middle attacks.

Is it possible to ensure that the UUID does not appear in a get-request within the URL and is it to change the generation of the authentication token to a more secure method?

Finding: The APM web interface allows generating API tokens. These seem to be generated according to the UUID v4 specification (RFC 4122). According to this specification, UUIDs should not be used as authentication tokens3:


 "RFC 4122, Section 6
Do not assume that UUIDs are hard to guess; they should not be used as security capa-
bilities (identifiers whose mere possession grants access), for example. A predictable
random number source will exacerbate the Situation.
 
The use of UUIDS as authentication tokens poses an actual threat or not depends on
the specific implementation, which could not be checked in the time frame and scope"

if the APM REST API is utilizing UUIDs according to RFC4122, that is definitely not secure enough when even the creators warn to use these UUIDs as access tokens.

Request: Improve current secure mechanism with an entropy of at least 128 bit (rather 140+).

Cause

This is a request for enhancement

US692398 - AUDI - Rest API UUID (122 Bit) can be used but not for security related purposes in Production

Environment

Release : 10.7

Resolution

No solution or workaround available at the present time.

Additional Information

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/application-performance-management/10-7/api-reference/apm-rest-api.html